ClawHub

Pdf Smart Tool Cn Payment

v1.0.1

PDF智能处理工具 Pro | PDF转图片、图片转PDF、OCR识别、PDF合并拆分。

0· 316·0 current·1 all-time
by@huyong2023
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description advertise PDF conversion, OCR, merging/splitting and API access, but the skill is instruction-only and contains no commands, API endpoints, binaries, or code to perform any of those tasks. That mismatch (marketing vs no implementation) is incoherent.
!
Instruction Scope
SKILL.md is marketing/payment text and pricing tiers only; it provides no runtime instructions (no commands to run, no endpoints to call, no guidance on how to accept files). It also includes payment account details, which could encourage the agent or user to transfer money despite no formal payment/integration flow being present.
Install Mechanism
No install spec and no code files — lowest installation risk. However, the lack of any install or implementation is itself the primary coherence problem (the skill cannot actually perform the advertised functions as-is).
Credentials
The skill requests no environment variables or credentials (proportionate), but embeds explicit payment identifiers (Alipay phone and a QQPay account token) in metadata. This is unusual for a skill manifest and may be an attempt to solicit off-band payments; it does not request system credentials, but the payment info is out-of-band and should be treated with caution.
Persistence & Privilege
No elevated persistence requested (always:false). The skill is user-invocable and can be called autonomously by the agent (default), but it does not request system config or modify other skills.
What to consider before installing
Do not install or send money based solely on this skill's page. The skill advertises paid PDF processing features but provides no code, commands, or API details indicating how those features would actually run. Ask the publisher for: (1) source code or a verifiable homepage, (2) concrete runtime instructions (APIs, binaries, or service endpoints), and (3) a legitimate payment/invoicing flow (not just account identifiers in the manifest). If you still want to test it, require a security review of the code or run it only in an isolated sandbox and disable autonomous invocation so the agent cannot prompt users to make payments or exfiltrate data. If the skill asks you to send payment first before any verifiable integration is provided, treat it as untrusted and avoid paying.

Like a lobster shell, security has layers — review code before you run it.

latestvk97033e44x8a5eq97twk7k7f65824zkh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments