ClawHub
Back to skill
v1.0.0

DocStream

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:21 AM.

Analysis

DocStream appears to be a coherent document-processing API skill, but users should know it sends document-processing requests to an external service and handles a DocStream API key or signup email.

GuidanceThis skill is reasonable for document extraction, summarization, conversion, and PDF parsing through DocStream. Before installing or using it, verify that you trust the DocStream/Voss endpoint, avoid sending highly sensitive documents unless you accept the provider's data handling terms, and keep any generated API key private.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/forge-client.sh
API_KEY="${DOCSTREAM_API_KEY:-}" ... EMAIL="${DOCSTREAM_EMAIL:-}" ... echo "✅ Free key: $API_KEY" >&2

The helper uses a DocStream API key or signup email and prints a newly created API key to stderr. This credential handling is expected for the API integration, but the key should not be exposed in shared logs or transcripts.

User impactA DocStream API key could be visible in command output or captured logs if auto-signup is used.
RecommendationTreat generated API keys as secrets, avoid sharing command output that contains them, and prefer storing keys in a private environment variable.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
scripts/forge-client.sh
API_BASE="${DOCSTREAM_API_URL:-https://anton.vosscg.com}" ... process) curl -sf -X POST "$API_BASE/v1/documents/process" ... -d "$1"

The helper sends user-provided document-processing JSON to an external API endpoint. This is aligned with the skill's document-processing purpose, but document URLs or content may leave the user's environment.

User impactPrivate or sensitive document data could be shared with the DocStream service if the user asks the skill to process it.
RecommendationOnly use this skill for documents you are comfortable sending to DocStream, and verify the provider's privacy and retention terms before processing sensitive files.