ClawHub

TextIn xParse Document Parse

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent document-parsing skill, but it relies on an external CLI/API, a remote installer, and optional paid credentials that users should review before use.

Before installing, verify that you trust the xparse-cli installer and TextIn service. Use this skill only for documents you are comfortable sending to that provider, and be aware that configured paid credentials may be used automatically unless you force the free API.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Medium
What this means

Installing the CLI runs code downloaded from the internet on the user's machine.

Why it was flagged

The skill depends on a remote installer whose contents are not included in the artifacts. This is a common setup pattern and aligned with the skill purpose, but users must trust the external source.

Skill content
Requires the `xparse-cli` binary ... install: `source <(curl -fsSL https://dllf.intsig.net/download/2026/Solution/xparse-cli/install.sh)` ... `irm https://dllf.intsig.net/download/2026/Solution/xparse-cli/install.ps1 \| iex`
Recommendation

Verify the xparse-cli source and installer URL before running it, and prefer a trusted package manager or reviewed installer if available.

#
ASI07: Insecure Inter-Agent Communication
Medium
What this means

Document contents may leave the local machine and be processed by TextIn/xparse services.

Why it was flagged

The artifacts indicate that parsing is performed through a provider API and involves uploading the selected document.

Skill content
Based on [Textin Parse API v1] ... `xparse-cli parse <FILE>` ... `40305 | File missing or not uploaded`
Recommendation

Do not use this skill on confidential documents unless the provider's privacy, retention, and compliance terms are acceptable.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Parsing may consume paid account quota or credits when credentials are present.

Why it was flagged

If paid credentials are already configured, the default parse command can use the paid account without adding an explicit `--api paid` flag.

Skill content
`_(omitted)_ | Paid if credentials exist, else free` ... `Credential priority: CLI flags → env vars → ~/.xparse-cli/config.yaml`
Recommendation

Use `--api free` when paid usage is not intended, and protect XPARSE_APP_ID, XPARSE_SECRET_CODE, and ~/.xparse-cli/config.yaml.