Back to skill
Skillv1.0.1
ClawScan security
ofd-text-extractor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 7, 2026, 9:57 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code appears to implement OFD text extraction and does not attempt network access or credential use, but there are documentation vs. implementation inconsistencies (missing PowerShell wrapper, differing JSON output schema) that could confuse users or integrations.
- Guidance
- What to check before installing/using: - Functional checks: The included Python script appears safe and runs locally (no network/credential access). Run it on a sample OFD to confirm it produces the JSON fields you need. Note: the script writes pages with separate pageTexts and templateTexts fields, whereas SKILL.md's sample JSON shows a combined texts array with isTemplate flags — adapt your consumers accordingly. - Missing file: SKILL.md shows a PowerShell wrapper scripts/extract_ofd.ps1, but that file is not included. Use python scripts/extract_ofd.py ... directly or create your own wrapper. - Robustness: the script uses regular expressions to parse XML in places (fragile for edge cases). If you rely on exact extraction (invoices, automated pipelines), test with representative OFD files and consider improving XML parsing for complex inputs. - Safety: there is no obvious exfiltration (no network/socket modules, no external calls). Still review or run in an isolated environment if processing untrusted files, and verify outputs before feeding results into downstream automated systems. If you want, I can: (a) show the exact JSON structure the script emits for a sample OFD, (b) propose a small patch to make the output match SKILL.md, or (c) add a simple PowerShell wrapper compatible with the docs.
Review Dimensions
- Purpose & Capability
- okName/description (extract text+positions from OFD) matches the included Python script: it reads a local .ofd (ZIP), parses XML/Content.xml and template pages, and computes character positions. No unrelated binaries, credentials, or services are requested.
- Instruction Scope
- concernSKILL.md instructs running scripts and describes an output JSON schema that differs from what extract_ofd.py actually writes. SKILL.md examples also show a PowerShell wrapper (scripts/extract_ofd.ps1) which is not present in the package. These mismatches could lead to broken automation or unexpected outputs.
- Install Mechanism
- okNo install spec; runtime is an included Python script with only standard-library imports. No external downloads or package installs are requested.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The script operates on a user-supplied local OFD file only.
- Persistence & Privilege
- okSkill does not request 'always' or any elevated/persistent privileges. It does not modify other skills or system config. Autonomous invocation is allowed (platform default) but not combined with other concerning requests.