Back to skill
Skillv1.0.2
ClawScan security
PDF Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 11:01 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions match its stated purpose: it wraps a third‑party ComPDFKit SDK, auto-downloads a license and an optional model from compdf.com, and has no unexplained credential or system access.
- Guidance
- This skill appears coherent for local PDF conversion using the commercial ComPDFKit SDK, but review these items before installing: (1) the skill auto-downloads a ~525MB model and a license.xml from download.compdf.com — ensure you trust that domain and have the bandwidth/storage, (2) the SDK is commercial and subject to the included license terms (trial limited to 200 conversions and restrictions on redistribution), (3) verify the ComPDFKitConversion package from PyPI or your source to avoid supply-chain risks, and (4) be aware the underlying SDK (not visible in the wrapper) could make its own network calls — if you need stricter isolation, run conversions in a sandboxed environment or review network activity during a test run.
Review Dimensions
- Purpose & Capability
- okName/description (PDF conversion with OCR/AI layout) align with the included Python wrapper and the declared dependency on the ComPDFKitConversion SDK. Downloading a license.xml and a document AI model from compdf.com is consistent with using a commercial SDK.
- Instruction Scope
- okSKILL.md and the script limit operations to the skill directory (scripts/) and to fetching two vendor-hosted files (license.xml and documentai.model) when needed. The instructions do not request unrelated system files, unrelated env vars, or exfiltrate data to third parties outside the vendor domain.
- Install Mechanism
- okNo install spec is provided (instruction-only plus a bundled script). The SKILL.md asks the user to pip install ComPDFKitConversion, which is expected for a Python SDK. Downloads come from the vendor's official-looking domain (download.compdf.com) rather than arbitrary shorteners or IPs.
- Credentials
- okThe skill declares no required credentials or config paths. One optional environment variable (COMPDF_DOCUMENT_AI_MODEL) lets users override the model path — this is proportional and documented. There are no environment variables requested that are unrelated to PDF conversion.
- Persistence & Privilege
- okalways:false (default) and the skill does not request persistent system-wide changes. It writes downloaded files into its own scripts/ directory only. It does not modify other skills' configurations.