Fill XFA PDF Forms
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: fill-xfa Version: 1.0.0 The skill provides a specialized utility for filling Adobe XFA (LiveCycle) PDF forms by directly manipulating the embedded XML data using the pikepdf library. The Python script (scripts/fill_xfa.py) implements field discovery and data injection without any network activity, suspicious file access, or command execution. The instructions in SKILL.md are strictly aligned with the stated purpose and do not contain any prompt-injection attempts or malicious directives.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing packages can change the local Python environment and may pull whatever version is current at install time.
The skill requires installing an external Python package without a pinned version. This is purpose-aligned for PDF manipulation, but it is still a supply-chain hygiene point for users.
pip install pikepdf
Install in a virtual environment and consider pinning or reviewing the pikepdf version used.
Sensitive form details could be visible in chat logs, terminal history, or shared transcripts.
After filling a form, the script prints the written field values. XFA forms may contain personal or banking details, so those values can appear in the terminal or agent transcript.
print("\nWritten values:") ... print(f" ✓ {field} = {vals[0]!r}")Use this skill in a private session, avoid sharing logs that contain filled values, and redact sensitive output if necessary.