Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PDF Master Translator
v1.0.0A highly robust, multi-agent pipeline for translating and reconstructing complex, image-heavy, or scanned PDF documents (especially engineering, scientific,...
⭐ 0· 127·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The scripts implement a coherent, LLM-based PDF translation pipeline (masking figures, extracting images, rendering LaTeX via an external math service) which is consistent with the described purpose. However, the registry metadata declares no required env vars or binaries while both SKILL.md and all scripts require a GEMINI_API_KEY and Python >=3.11 with several packages — this metadata omission is incoherent and misleading.
Instruction Scope
Runtime instructions and the scripts instruct uploading page images and raw page text to a third-party LLM service (google-genai / Gemini) and call math.vercel.app for LaTeX rendering. Sending whole page images and unredacted page text is necessary for the approach but is a high-privilege action (potentially exfiltrating sensitive content). The SKILL.md explicitly tells users to export GEMINI_API_KEY and optionally HTTPS_PROXY, showing the skill will transmit data externally; GEMINI_API_KEY is not declared in the skill metadata.
Install Mechanism
No formal install spec is provided (instruction-only), which reduces direct install-time risk, but the included scripts require Python 3.11+ and several packages (pymupdf, google-genai, markdown2, weasyprint, pillow, tenacity). Running the scripts will require installing these dependencies locally. No opaque third-party download URLs are present in the files reviewed.
Credentials
The code requires a GEMINI_API_KEY (used to instantiate genai.Client and upload page images) and will transmit document images/text to that service and to math.vercel.app. Yet the registry metadata lists no required environment variables or primary credential — this is a clear mismatch. Requesting an LLM API key is proportionate to an LLM-based translator, but it must be declared and the privacy implications must be explicit to users.
Persistence & Privilege
The skill does not request always:true, does not change other skills' configs, and creates/cleans temporary work directories. Autonomous invocation (disable-model-invocation=false) is the platform default; combined with the above data-upload behavior this increases blast radius but is not itself unusual.
Scan Findings in Context
[pre-scan-injection-none] expected: Static pre-scan reported no injection signals. That does not reduce the privacy risk: the scripts intentionally upload images and text to external LLM and math rendering endpoints, which should be considered during review.
What to consider before installing
This skill contains working Python scripts that will upload full page images and extracted raw page text to external services (Google GenAI/Gemini via google-genai and math.vercel.app). Before installing or running it, consider: 1) Provenance — the skill source and homepage are unknown; prefer packages with known authors or inspect code thoroughly. 2) Credentials — the code requires GEMINI_API_KEY (not declared in registry metadata); do NOT reuse high-privilege or shared API keys. 3) Data sensitivity — the tool will transmit your PDFs (images and text) to third-party services; do not use on confidential or regulated documents unless you accept that risk. 4) Isolation — run in an isolated environment (sandbox/container) with a dedicated API key and restricted network/proxy rules. 5) Dependencies — install Python 3.11+ and the listed packages in a virtualenv; review package sources. 6) Code review — if you need to proceed, inspect the upload and prompt code paths and consider replacing remote LaTeX rendering with a local renderer if data leakage is a concern. If the missing GEMINI_API_KEY declaration and unknown origin are unacceptable, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk975qkst4f40wtkpsfy8kxb87h83543b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.