Skillv1.0.0

ClawScan security

Academic Formula Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 19, 2026, 10:01 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with its stated purpose (converting LaTeX in Markdown to docx/html), it requests no credentials or unusual installs, and it contains no network/exfiltration behavior — only a minor mismatch between the documented --images option and how images are actually handled in code.
Guidance: This skill appears to do what it says: converting Markdown with LaTeX formulas into styled docx or HTML. Before installing/using it: 1) install the listed Python packages (pip install python-docx markdown); 2) be aware the tool will read the input markdown and any image file paths referenced in that markdown (it will not fetch remote images), so avoid pointing it at sensitive local files unless you intend to include them; 3) note a small implementation mismatch: the --images option is accepted but not actually used to resolve image links, so ensure image paths in your markdown are correct or adjust the script if you need image-directory handling; 4) there are no network calls or credential requirements in the code, so risk is limited to local file access and standard Python package installation.

Purpose & Capability: okName/description (LaTeX -> docx/html) matches the provided code and instructions. Required dependencies listed (python-docx, markdown) align with imports used. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md usage (running the included Python script, installing python-docx and markdown) matches runtime behavior. Minor inconsistency: SKILL.md and the CLI accept an --images directory, but the script does not use the images_dir when resolving image links (it uses the path from the markdown directly). The script reads local input markdown and any local image paths referenced, which is expected for a converter but means it will access files on the host filesystem referenced by the markdown.
Install Mechanism: okInstruction-only skill with no install spec; dependencies are standard PyPI packages and are listed in SKILL.md. No downloads from arbitrary URLs or archive extraction are present.
Credentials: okNo environment variables, credentials, or external tokens are requested. The script does not read environment variables or external config.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills or system-wide agent settings.