Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (local PDF processing: summary, Q&A, tables, split/merge) match the script's capabilities. However, SKILL.md advertises optional OCR and '高级问答' (langchain/faiss) integrations while the included script contains only local, rule-based logic and does not call OCR or an LLM. Also SKILL.md documents environment variables (PDF_OUTPUT_DIR, OCR_ENABLED) that the script does not read — a mismatch between declared capabilities/config and actual code.
Instruction Scope
SKILL.md instructs the agent to confirm file path and call the provided script; the script performs only local file I/O and PDF processing with PyPDF2/pdfplumber. It does not read other system files, environment secrets, or send data externally. The scope is limited to PDF handling, matching the stated purpose.
Install Mechanism
There is no automated install spec in the registry (instruction-only). SKILL.md suggests pip install lines for common PyPI packages (PyPDF2, pdfplumber, pandas, openpyxl, pytesseract, langchain, faiss-cpu). These are well-known public packages — the risk is standard for pip installs. No downloads from arbitrary URLs or extract operations are present in the bundle.
Credentials
The skill does not require credentials or secrets. SKILL.md declares optional environment variables (PDF_OUTPUT_DIR, OCR_ENABLED) but the provided script does not reference them (it uses a hardcoded default path when output not provided). This mismatch is inconsistent but not indicative of credential exfiltration.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false) and does not modify other skills or global agent configuration. It runs as a script on demand and writes output files only to user-specified or default directories.
What to consider before installing
This skill appears to be a local PDF tool and the Python script does not perform networking or access secrets — that is good. However, SKILL.md and the script are inconsistent: the doc suggests environment variables (PDF_OUTPUT_DIR, OCR_ENABLED) and optional advanced LLM/OCR dependencies, but the script doesn't use those env vars and does not implement OCR or LLM integration. Before installing or running: 1) review whether you need the optional pip packages — they must be installed manually and bring the usual supply-chain risks of pip; 2) expect output files to be written to a default folder under your home directory unless you pass an explicit --output; 3) if you require OCR/LLM features, confirm the skill actually implements them or find an updated version; and 4) run the script on non-sensitive test PDFs first to verify behavior. If you want a fully coherent skill, ask the author to either remove the unused env/dep mentions from SKILL.md or update the code to honor OCR_ENABLED/PDF_OUTPUT_DIR and to document any external network calls or credentials required.Like a lobster shell, security has layers — review code before you run it.
assistantvk97bj1n8njaypqrgc9r3gywjtx850y67chinesevk97bj1n8njaypqrgc9r3gywjtx850y67documentvk97bj1n8njaypqrgc9r3gywjtx850y67latestvk97bj1n8njaypqrgc9r3gywjtx850y67pdfvk97bj1n8njaypqrgc9r3gywjtx850y67productivityvk97bj1n8njaypqrgc9r3gywjtx850y67
License
MIT-0
Free to use, modify, and redistribute. No attribution required.