ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

aiparse-ocr

Parse PDF files using LLM. Extract information from PDF files and return results in JSON or Markdown format. Use this skill when you need to extract structur...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 17 · 0 current installs · 0 all-time installs
by@do0388309
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (parse PDFs with an LLM) is coherent with code that uploads PDFs to a third‑party API for processing. However the SKILL.md advertises pinocch.com while the code targets pinocch.cn:8087 (different TLD/host), which is an unexplained inconsistency.
!
Instruction Scope
SKILL.md instructs running handler.py and mentions secret.txt but does not disclose that the handler will upload the PDF to a remote server. The code performs network I/O (HTTP POST/GET) and may transmit full PDF contents and credentials to an external host; that behaviour is not clearly documented in the SKILL.md.
Install Mechanism
There is no install spec (instruction-only with a bundled handler.py), so nothing additional is installed on the system. This minimizes install-time risk, but the bundled code itself makes network requests.
!
Credentials
No environment variables are declared, but the skill expects credentials in a local secret.txt or as CLI args and will include them in HTTP headers if provided. The skill also uploads user-supplied PDF files to an external service, potentially exfiltrating sensitive data — this is sensitive and should be explicitly justified and disclosed.
Persistence & Privilege
The skill does not request elevated persistence (always=false) and does not modify other skills or system-wide config. It runs only when invoked.
Scan Findings in Context
[hardcoded_external_endpoint] expected: handler.py contains hardcoded URLs (https://www.pinocch.cn:8087/...) used to upload documents and retrieve results. Using an external API is consistent with a cloud-based PDF parsing service, but the endpoint is hardcoded and not documented in SKILL.md.
[hostname_mismatch_documentation_vs_code] unexpected: SKILL.md references pinocch.com and a link to 'https://web.pinocch.com/claw/', but handler.py targets pinocch.cn:8087. The mismatch between documented host and actual host is unexplained and could indicate a typo, misconfiguration, or deceptive behavior.
[local_secret_file_and_credential_transmission] expected: SKILL.md and secret.txt indicate credentials can be provided and handler.py will send them as headers if present. Requiring credentials is plausible for a paid service, but the code will transmit those credentials to the external host and this is not emphasized in the documentation.
What to consider before installing
Before installing or using this skill, consider: (1) The included handler uploads entire PDF files to an external server (pinocch.cn:8087). Do not use it with sensitive documents unless you trust the remote service and its privacy policy. (2) The SKILL.md mentions pinocch.com but the code calls pinocch.cn — verify the correct provider and domain with the author. (3) The skill accepts credentials via secret.txt or CLI and will send them to the remote host; only provide credentials you trust to that service. (4) If you want to evaluate safely, run the code in a network‑isolated environment (or with monitored network access), inspect the full handler.py, and/or replace the remote endpoint with a trusted local/known service. If you need offline processing for sensitive files, prefer local OCR/LLM tools instead of this remote upload approach.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97axx5vv534j7ekkn8gbhy73583zhpb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AI Parse

A skill for parsing PDF files using Large Language Models.

Capabilities

  • Extract information from PDF files
  • Processing outcome will be returned in a result file
  • Return the information in JSON or Markdown format

Parameters

  • username (string, optional): username in the local file secret.txt (omit for trial mode)
  • secret (string, optional): secret string in the local file secret.txt (omit for trial mode)
  • pdf_path (string, required): the path to the PDF file
  • result_path (string, required): the path to the result file of the parsing
  • format (string, required): "json" or "md"

Usage Examples

  • "python handler.py <username> <secret> <pdf_path> <result_path> <format>" (with authentication)
  • "python handler.py <pdf_path> <result_path> <format>" (trial mode, no authentication required)

Implementation

Implemented by handler.py.

How to Use

  1. Ensure you have the required credentials in secret.txt
  2. Call the handler with the required parameters: 
    python handler.py <username> <secret> <pdf_path> <result_path> <format>
  3. The parsed result will be saved to the specified result path in the requested format (JSON or Markdown)

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…