PassAudited by ClawScan on May 10, 2026.
Overview
This is a purpose-aligned PDF processing guide, but users should verify any local tools or helper scripts before running them and protect sensitive PDF/form data.
This skill appears safe for local PDF work. Before installing or using it, make sure any referenced scripts or PDF tools come from trusted sources, process only documents you are authorized to modify, and clean up temporary files that contain personal or confidential information.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may try to run helper code that was not included in the reviewed artifact set.
The form workflow references helper scripts, while the supplied manifest contains only Markdown/license files and no scripts directory. This is not malicious by itself, but any such helper code would need separate verification before use.
Run this script from this file's directory: `python scripts/check_fillable_fields <file.pdf>`
Only run helper scripts from a trusted, reviewed source, and do not substitute downloaded or unrelated scripts without checking them.
If misused, the skill could help modify, split, merge, or decrypt PDFs that the user should not alter.
The documentation includes command-line PDF modification and decryption examples. These are purpose-aligned, but they can alter or remove protection from local documents.
qpdf --password=mypassword --decrypt encrypted.pdf decrypted.pdf
Use these commands only on documents you own or are authorized to process, and review output files before sharing them.
Sensitive form data may remain on disk in intermediate files after the PDF is created.
The form-filling workflow stores user form values in local JSON files. This is expected for the task, but those intermediate files may contain personal or sensitive information.
Create a `field_values.json` file ... "description": "The user's last name" ... "value": "Simpson"
Work in a private directory, avoid syncing sensitive intermediates to shared locations, and delete temporary JSON/images when finished.