Fill XFA PDF Forms
PassAudited by ClawScan on May 5, 2026.
Overview
The skill appears to be a local XFA PDF form-filling tool, with user-notice items around installing a Python dependency and displaying sensitive form values in the session.
Before installing, review the script, install pikepdf in a trusted virtual environment, and use the tool only with PDFs and form data you are comfortable processing in the current session. Check the output PDF before submitting it, and remember that filled field values may appear in logs or transcripts.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing packages can change the local Python environment and may pull whatever version is current at install time.
The skill requires installing an external Python package without a pinned version. This is purpose-aligned for PDF manipulation, but it is still a supply-chain hygiene point for users.
pip install pikepdf
Install in a virtual environment and consider pinning or reviewing the pikepdf version used.
Sensitive form details could be visible in chat logs, terminal history, or shared transcripts.
After filling a form, the script prints the written field values. XFA forms may contain personal or banking details, so those values can appear in the terminal or agent transcript.
print("\nWritten values:") ... print(f" ✓ {field} = {vals[0]!r}")Use this skill in a private session, avoid sharing logs that contain filled values, and redact sensitive output if necessary.