Skillv1.0.0

ClawScan security

Add watermark to PDF · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 11, 2026, 9:28 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions do match the stated purpose (upload PDFs, poll a Solutions API, return download URLs) but the package/registry metadata omits the required API credential and the implementation returns raw API responses and the watermark text (possible sensitive data), so you should verify the service and credential handling before use.
Guidance: This skill appears to do what it claims, but there are some mismatches and privacy risks to consider before installing or using it: - Verify the service/domain: confirm that https://api.xss-cross-service-solutions.com and https://login.cross-service-solutions.com are legitimate and trustworthy before providing an API key. - Credentials: the SKILL.md and script require a Solutions API key (Bearer token), but the skill metadata does not declare it. Treat the API key as sensitive — only provide it to services you trust, and prefer passing it at runtime rather than storing it insecurely. - Output leakage: the script includes the API 'raw' response and by default returns watermark_text in its printed JSON. If your watermark or the API response may contain sensitive data, request the skill be modified to omit 'raw' and avoid returning watermark_text. - Base URL override: SOLUTIONS_BASE_URL can be changed; do not point it to unknown hosts. If you plan to run this as an automated skill, consider locking or validating the base URL to a known good domain to prevent inadvertent exfiltration. - Inspect locally: because this package includes a runnable Python script, review and run it locally with non-sensitive test files first. Confirm behavior and outputs before granting the skill access to real documents or credentials. If you need higher assurance, ask the publisher for: a homepage/source repo, explicit manifest entries declaring required env vars (primaryEnv), and a privacy/security statement describing how uploaded PDFs are handled and retained.

Review Dimensions

Purpose & Capability: concernThe SKILL.md, README, and included Python script all implement the stated purpose (upload PDFs + watermark text to an external Solutions API and poll for results). However the registry metadata declares no required environment variables or primary credential even though the skill requires an API key (Bearer token). The skill also supports overriding the base URL via SOLUTIONS_BASE_URL, which is reasonable for testing but increases the attack surface if not constrained.
Instruction Scope: concernInstructions keep to the document-processing scope (accept files, upload them, poll result). They do not read unrelated system files. Concerns: (1) the SKILL.md and script recommend never echoing the API key, but the registry does not declare that credential — a mismatch; (2) the script includes 'raw' API response in its printed output and by default returns watermark_text in the result, which may leak sensitive information from either the user's watermark or fields included by the API.
Install Mechanism: okNo install spec is present (instruction-only install), and the included code is a simple Python script with a single dependency 'requests'. There are no remote download/install steps or exotic package sources. This is a low install-risk scenario, though the repository includes executable script files that the agent or user may run locally.
Credentials: concernThe declared registry metadata lists no required env vars or primary credential, but SKILL.md and the script clearly require an API key (SOLUTIONS_API_KEY or passed via --api-key). That mismatch is noteworthy: the skill needs a sensitive credential but the manifest doesn't advertise it. Additionally SOLUTIONS_BASE_URL can be overridden, meaning the skill could be pointed at an arbitrary endpoint to receive uploaded PDFs if misconfigured or maliciously modified.
Persistence & Privilege: okThe skill does not request elevated persistence: always is false, it is user-invocable, and it does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags here.