Back to skill
Skillv1.1.0
ClawScan security
PDF to Word Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime behavior align with its stated purpose (a local PDF→Word converter that uses a commercial SDK and an optional local AI model), but it automatically downloads a license file and a large model file from the vendor at first run—you should be aware of and accept those network operations before installing.
- Guidance
- This skill is internally coherent for converting PDFs to DOCX using a commercial SDK, but before installing you should: (1) accept that the script will download a license.xml and a large model (~hundreds of MB) from https://download.compdf.com on first run and will cache them in the skill's scripts/ directory; (2) verify the pip package name 'ComPDFKitConversion' is the legitimate vendor package (installing unknown PyPI packages can be risky); (3) if you care about privacy, confirm whether the SDK performs conversion fully locally (the code shows local SDK usage, but network behavior of the SDK itself is not visible here); (4) if you prefer control, provide your own license.xml and/or pre-download the model and set COMPDF_DOCUMENT_AI_MODEL to avoid automatic downloads; (5) review the full script for any behavior you consider unacceptable (note: the provided script is generally consistent but a truncated snippet showed a small variable-name bug—inspect the full file in your environment before running). If these points are acceptable, the skill appears fit for purpose.
Review Dimensions
- Purpose & Capability
- okName/description (PDF→Word with AI layout and table handling) match what the skill actually does: it wraps the ComPDFKitConversion Python SDK, requires the SDK package, and optionally an AI model for OCR/layout. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- noteThe SKILL.md and script instruct the agent to auto-download two files from download.compdf.com (license.xml and documentai.model) into the skill's scripts/ directory and to initialize the SDK using the license key read from the XML. This network activity is coherent with the skill's needs but is important to note: converted inputs and local files are handled by the SDK, and the skill does not request unrelated environment variables or other system paths. The SKILL.md also documents an optional override via COMPDF_DOCUMENT_AI_MODEL.
- Install Mechanism
- noteThere is no platform install spec; the SKILL.md requires 'pip install ComPDFKitConversion'. Using pip is expected, but pip-installed packages are moderate-risk operations (you should verify the package source/name and integrity). The script downloads model and license files from compdf.com (a vendor domain matching the homepage). No obscure or shortened URLs are used.
- Credentials
- okThe skill does not demand secrets or unrelated credentials. One optional env var (COMPDF_DOCUMENT_AI_MODEL) is used to override the model path, which is proportionate to the stated functionality. The license key is fetched from vendor XML (not requested as an env var).
- Persistence & Privilege
- okThe skill is not always-enabled, does not request elevated privileges, and does not modify other skills or system-wide agent settings. It writes downloaded files into its own scripts/ directory (license.xml, documentai.model) which is normal for caching SDK resources.