Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vector Text Fixer
v0.1.0Fix garbled text in PDF/SVG vector graphics for final editing in AI. Detect, replace and repair garbled text in vector graphic files while maintaining origin...
⭐ 0· 212·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md features, and the included scripts/main.py all target detection and repair of garbled text in PDF and SVG files, which is coherent. However, SKILL.md advertises extra capabilities and dependencies (OCR-assisted aggressive repair, cairosvg, pdfplumber, fonttools, chardet, Pillow) that are not reflected in the included requirements.txt or entirely implemented in the code. The code implements detection and some decode-based fixes, but does not show full end-to-end behaviors promised (e.g., writing repaired PDF/SVG output, OCR integration).
Instruction Scope
SKILL.md instructs running scripts/main.py with various flags and interactive/export modes. The provided script contains detection and repair helper classes and API-style functions; there is no evidence the script actually writes repaired PDF/SVG output files or implements all CLI options as documented. The SKILL.md does not request any unrelated system files or credentials. However, the runtime instructions are broader than what the included code reliably implements, so the instructions grant the agent wide discretion that the code may not safely constrain.
Install Mechanism
There is no install spec (instruction-only), but the package includes a requirements.txt that does not match SKILL.md's dependency list. requirements.txt contains 'bs4', 'dataclasses', 'fitz' whereas SKILL.md lists many other libraries and versions (pdfplumber, PyMuPDF, cairosvg, beautifulsoup4, fonttools, chardet, Pillow). The mismatch and use of ambiguous package names ('fitz' vs PyMuPDF, 'bs4' vs beautifulsoup4) increases the chance of dependency/install errors and hidden behavior. Also there is no automated install step to validate dependencies or pin versions, raising operational risk.
Credentials
The skill does not request environment variables, credentials, or configuration paths. There is no evidence in the code of credential access, network calls, or reading unrelated system secrets. The required system access is limited to reading/writing files, which is consistent with the stated purpose.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It has no install-time hooks or configuration changes declared. It appears not to modify other skills or system-wide settings.
What to consider before installing
This package looks like it was intended to fix garbled text in PDF/SVGs, but there are multiple red flags you should address before using it: (1) The requirements listed in SKILL.md do not match requirements.txt — dependency names/versions are inconsistent and essential dependencies (OCR, cairosvg, fonttools, etc.) appear missing. (2) The Python script appears truncated/buggy (e.g., incomplete code paths, unclear whether it actually writes fixed output), so running it could fail silently. (3) There is no install spec or pinned dependencies, so installing could pull unexpected package versions. Recommended next steps: inspect the full scripts/main.py (ensure file isn't truncated), verify all CLI options are implemented, correct and pin required packages, run the tool in an isolated sandbox on non-sensitive sample files, and ask the author for a complete, tested release or provenance (homepage/source repo). If you need a production-ready tool, prefer a well-maintained project or one with a release on a trusted host (GitHub releases/PyPI) and unit tests.Like a lobster shell, security has layers — review code before you run it.
latestvk97fz2dkpgvf7dcqg25p3z6gyh82vx99
License
MIT-0
Free to use, modify, and redistribute. No attribution required.