Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Textin File Converter Pro
v1.0.2Convert documents between PDF, Word, Excel, PPT, and image formats using the Textin API. High-accuracy OCR-based conversion with layout preservation. Support...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill name/description describe a document converter using the Textin API, and the included scripts implement that functionality and contact api.textin.com. However, the registry metadata (top-level summary) lists no required environment variables and no homepage/source, while SKILL.md and scripts require TEXTIN_APP_ID and TEXTIN_SECRET_CODE and reference a GitHub source and textin.com. This metadata mismatch is unexpected and should be clarified.
Instruction Scope
SKILL.md and the scripts limit file access to user-supplied files (single file or a single directory, non-recursive) and enforce file-type and 50MB size checks. Outbound network calls are hardcoded to api.textin.com. The instructions do not ask the agent to read unrelated files or credentials beyond the two Textin env vars. Note: the scripts accept URL inputs (they POST the URL to the API), which can cause the remote API to fetch resources referenced by those URLs — expected for this use case but worth being aware of.
Install Mechanism
There is no install spec; this is instruction-only with bundled shell scripts. No remote downloads or archive extraction are performed by the skill itself. The scripts will run locally when invoked and require common utilities (curl, python3, base64) — these are declared in SKILL.md and are proportionate to the task.
Credentials
The scripts require two environment secrets (TEXTIN_APP_ID and TEXTIN_SECRET_CODE) — which is reasonable for an API-backed converter. The concern is that the registry metadata at the top of the submission claims 'Required env vars: none' and 'Primary credential: none', which contradicts the SKILL.md and scripts. This inconsistency could be a packaging or publishing oversight, but you should confirm where to obtain and store credentials, and ensure you trust the api.textin.com service before providing secrets.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and does not modify other skills or global agent settings. It runs as user-invoked scripts and saves output files to user-specified locations; no persistent background components are created.
What to consider before installing
This skill appears to implement a legitimate Textin-based document converter, but there are inconsistencies in the published metadata (it omits required environment variables and has no homepage) that you should resolve before trusting it. Actions to take before installing: 1) Verify the source — ask the publisher for a canonical homepage or Git repository and confirm the repository matches the bundled scripts. 2) Only provide TEXTIN_APP_ID and TEXTIN_SECRET_CODE if you trust api.textin.com; consider creating a dedicated API key with limited quota. 3) Test the tool with non-sensitive files to confirm behavior. 4) Inspect the included scripts locally (they are provided) and ensure no hidden network endpoints are present. 5) Be aware that providing URL inputs causes the API to be sent those URLs (the remote service may fetch them). If the publisher cannot explain the metadata mismatch or provide a trusted source, treat the package cautiously or avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971ceeajys4h3ggcvr64z8hy984fzvt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Dependencies
curlother
python3other
base64other