Skillv1.0.2

ClawScan security

fast-ocr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 2:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match an offline OCR tool, but several clear inconsistencies (claims of 'fully offline' / 'no network' vs. pip install and a first-run model download, plus small packaging mismatches) make the package's promises questionable and worth further review before use.
Guidance: This package looks like a legitimate OCR tool, but do not blindly trust the 'fully offline' and 'no network' claims. Practical points to check before installing or using it: - Expect to run 'pip install rapidocr-onnxruntime' (network required) and to download model files on first use (~100MB) unless you supply models locally. If you need true offline operation, confirm you can pre-download and point RAPIDOCR_MODEL_PATH to local models. - Audit the rapidocr-onnxruntime package (PyPI/GitHub) to confirm where it obtains models and whether it makes network calls; verify checksums or a trusted source for models if confidentiality matters. - Note minor packaging inconsistencies (package.json's main references a different filename than the included entry script). This looks like sloppy packaging rather than malicious intent but suggests the project could use an extra review. - Run the skill in an isolated environment (container or VM) and pin dependency versions before deployment. If you need higher assurance, request or supply a version of the dependency and model files that are known to be local and reviewed. Confidence is medium because the inconsistencies are clear and explainable (third-party dependency downloads) but do not by themselves prove malicious behavior. Additional helpful information that would raise confidence to 'high': an explicit install script that bundles models locally, or documentation from the rapidocr-onnxruntime project confirming it can be run fully offline with pre-downloaded models and showing the model download source and checksums.

Review Dimensions

Purpose & Capability: noteThe name/description (invoice/train-ticket OCR) match the code: rapidocr_minimal.py instantiates RapidOCR and implements invoice/train OCR extraction logic. Requiring the rapidocr-onnxruntime dependency is consistent with OCR functionality. However, the SKILL.md and claw.json repeatedly claim 'fully offline'/'no_network', while the README/SKILL.md instruct users to run 'pip install rapidocr-onnxruntime' and also state that a ~100MB model is downloaded on first run — these statements contradict each other and should be reconciled.
Instruction Scope: noteRuntime instructions only cover installing the dependency, calling the skill, and optional env vars for model path/GPU — they do not ask the agent to read unrelated files or exfiltrate data. The SKILL.md lists optional environment variables (RAPIDOCR_MODEL_PATH, RAPIDOCR_USE_GPU, RAPIDOCR_CONFIDENCE_THRESHOLD) that are plausible for configuring an OCR dependency but the included rapidocr_minimal.py does not itself read these env vars (they likely target the third‑party library).
Install Mechanism: concernThere is no packaged install spec for the skill itself (instruction-only), but the instructions require pip installing rapidocr-onnxruntime and the SKILL.md admits a first-run download of ~100MB model files. That implies network activity outside the skill's code (performed by dependency). This contradicts 'no_network' and 'completely offline' claims in claw.json and the SKILL.md's security assurances. The dependency-based model download and pip install are standard for ML tools but are a meaningful deviation from the 'fully offline' promise and increase the attack surface (dependency and model sources should be audited).
Credentials: noteThe skill does not require any environment variables or credentials. It documents optional env vars for model path, GPU usage, and confidence threshold which are reasonable for an OCR tool, though the main script does not read them itself (they likely affect the third‑party RapidOCR library). No unrelated secrets or config paths are requested.
Persistence & Privilege: okThe skill does not request permanent or elevated platform privileges (always is false). It does not modify other skills or system-wide configs. Autonomous invocation is enabled by default (normal) but not combined with other high-risk flags.