Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: index.js performs local PDF-to-image conversion using pdfjs-dist and node-canvas. Requiring Node is appropriate. However, the SKILL.md metadata only declares pdfjs-dist as an npm install but the code also requires 'canvas' (node-canvas), which is not declared—an incoherence between declared dependencies and actual runtime needs.
Instruction Scope
Runtime instructions are narrowly scoped: they run a local CLI (node index.js ...) that reads a local PDF and writes image files. The SKILL.md explicitly states 'local processing' and the code performs only local file I/O. There are no network calls, hidden endpoints, or attempts to read unrelated system files or environment variables.
Install Mechanism
This is instruction-only in the registry (no automated install), and SKILL.md metadata suggests installing pdfjs-dist via npm which is reasonable. But index.js requires 'canvas' (node-canvas) at runtime; node-canvas often requires native system libraries (cairo, pango, libjpeg, etc.) and build steps. Those native prerequisites are not mentioned, so the install guidance is incomplete and may cause runtime failures or unexpected manual steps.
Credentials
The skill declares no environment variables, credentials, or config paths and the code doesn't access any secrets or external credentials. The requested access (filesystem read/write) is proportionate to the stated purpose.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or system-wide privileges. It does not modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but does not combine with other concerning privileges.
What to consider before installing
This skill appears to do what it says (convert PDFs to PNG/JPG locally) and does not contact external services or request credentials. However, the package metadata/instructions are incomplete: index.js requires the 'canvas' (node-canvas) module which is not listed, and node-canvas typically needs native libraries (cairo, pango, libjpeg, etc.) or build tools. Before installing or running: 1) ensure you have Node installed; 2) install both pdfjs-dist and canvas (npm install pdfjs-dist canvas) and be prepared to install any native system dependencies for node-canvas (check node-canvas docs for platform-specific steps); 3) run the tool in a sandbox or test environment first to confirm build/run behavior and to avoid accidental file overwrites (the tool writes output files and can overwrite existing paths); 4) verify the license (MIT) and the small codebase manually if you have concerns. If you want this to be easier for end users, ask the author to update the SKILL.md/registry metadata to list 'canvas' and document native prerequisites.Like a lobster shell, security has layers — review code before you run it.
latestvk9760ghqpd39gpnxxmcww24dks84t380
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
Binsnode