ClawHub
Back to skill
v1.0.0

habib-pdf-to-json

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:35 AM.

Analysis

This is a coherent PDF extraction instruction skill, but users should install its PDF/OCR dependencies carefully and run it only on documents they intend to process.

GuidanceThis skill appears safe for its stated purpose. Before installing, verify the package identity because the metadata is inconsistent, install dependencies in an isolated Python environment, and process only PDFs whose contents you are comfortable extracting into local output files.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip install pdfplumber pandas openpyxl ... pip install pytesseract pdf2image ... pip install pypdf

The skill asks users to install unpinned third-party PDF/OCR Python packages. This is expected for a PDF extraction skill, but it changes the local Python environment and depends on package-source trust.

User impactInstalling these packages may affect the user's Python environment and relies on the integrity of the packages retrieved by pip.
RecommendationInstall in a virtual environment, use trusted package indexes, and pin or review dependency versions if using this for sensitive or production workflows.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
with pdfplumber.open("construction_spec.pdf") as pdf: ... df.to_excel("extracted_data.xlsx", index=False)

The examples read local PDF files and write extracted data to local output files. This is central to the skill's purpose, but users should be aware that document contents may be copied into new files.

User impactSensitive construction information in PDFs could be written into Excel, CSV, JSON, or text outputs that remain on disk.
RecommendationRun the extraction only on intended files, choose safe output locations, and handle generated files according to the sensitivity of the source documents.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
_meta.json
"ownerId": "kn75fhjxn1jz5xbgd9ggj0nrtd80q1dz", "slug": "pdf-to-structured"

The bundled metadata uses a different owner ID and slug than the registry metadata supplied for the review. This is a provenance/identity inconsistency, although no hidden code or harmful behavior is shown.

User impactUsers may have less clarity about the exact package identity or publishing provenance.
RecommendationVerify that the skill identity, owner, and version match the expected registry listing before installing or relying on it.