Fill XFA PDF Forms
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing packages can change the local Python environment and may pull whatever version is current at install time.
The skill requires installing an external Python package without a pinned version. This is purpose-aligned for PDF manipulation, but it is still a supply-chain hygiene point for users.
pip install pikepdf
Install in a virtual environment and consider pinning or reviewing the pikepdf version used.
Sensitive form details could be visible in chat logs, terminal history, or shared transcripts.
After filling a form, the script prints the written field values. XFA forms may contain personal or banking details, so those values can appear in the terminal or agent transcript.
print("\nWritten values:") ... print(f" ✓ {field} = {vals[0]!r}")Use this skill in a private session, avoid sharing logs that contain filled values, and redact sensitive output if necessary.