Back to skill
Skillv1.1.0
ClawScan security
PDF Extract · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 11:43 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for the ComPDF REST API that asks the user for a ComPDF API key and requires explicit user confirmation before uploading files — its requests and instructions are coherent with its stated PDF extraction purpose.
- Guidance
- This skill is an instruction-only wrapper around ComPDF's cloud API and appears internally consistent, but take these precautions before installing or using it: - Do not upload highly sensitive or confidential documents unless you trust ComPDF and have reviewed their privacy policy (SKILL.md points to the policy URL). The skill requires explicit consent before any upload — only proceed after you confirm. - The skill will ask you for your ComPDF API key and offers to save it to config/public_key.txt on disk; if you are unsure, decline to save so the key is used only for the current session and delete any saved file you no longer want to keep. - The skill source/homepage is unspecified in the registry metadata (no homepage provided). If provenance matters, prefer an official provider release or verify the owner before trusting long-term use. - Verify the API base URL (api-server.compdf.com or api-server.compdf.cn) and that returned download links meet your security needs; links expire the next day per the instructions. If you accept those conditions, the skill's behavior matches its description and there are no hidden or unrelated requests in the instructions.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md describes using ComPDF endpoints for OCR, table extraction, conversions, and related operations. Asking for a ComPDF API key and selecting executeTypeUrl values is appropriate for this purpose.
- Instruction Scope
- noteInstructions are narrowly focused on calling ComPDF endpoints. They do read/write a local file (config/public_key.txt) to optionally persist the user's API key; this is explained in the doc and is within the skill's domain but is an action users should be aware of. The SKILL.md explicitly requires explicit user consent before uploading files to external servers, which is good practice.
- Install Mechanism
- okNo install spec or code is included (instruction-only), so nothing is written to disk by an installer. Risk from installation is minimal.
- Credentials
- okThe skill requests no environment variables or unrelated credentials. It only asks for the ComPDF API public key (via user prompt) which is proportional to the declared functionality. No other secrets or system credentials are requested.
- Persistence & Privilege
- notealways:false and no autonomous privilege escalation. The only persistent action is optionally writing the ComPDF public key to config/public_key.txt if the user consents; the skill does not request system-wide privileges or modify other skills' configs.