Skillv0.1.0

ClawScan security

pdf · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 15, 2026, 12:30 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's PDF capabilities match its description, but the runtime instructions reference local scripts and tooling that are not included in the package (and there is no install spec), creating an incoherence that warrants caution.
Guidance: This skill's documentation legitimately describes PDF operations (extraction, OCR, merging, form-filling) and is mostly coherent — but the forms.md repeatedly tells you to run local scripts (e.g., python scripts/check_fillable_fields ...) that are not included in the package. Before installing or running this skill: 1) Ask the publisher for the missing scripts and inspect them (they will run on your machine and could read or transmit data). 2) Verify or install the listed dependencies (pypdf, pdfplumber, pytesseract, poppler-utils, qpdf, etc.) in an isolated environment; avoid installing untrusted packages system-wide. 3) Be cautious with sensitive PDFs (PII, IDs, contracts) until you confirm the scripts do only local processing and do not exfiltrate files or call external endpoints. 4) Confirm the license/usage terms (LICENSE.txt references Anthropic terms and additional restrictions) and the provenance of the skill (owner is unknown, no homepage). If the missing scripts are provided and reviewed, and dependencies are explicit and safe, the skill could be considered benign; in the absence of those scripts the incoherence is the reason for a 'suspicious' rating.

Review Dimensions

Purpose & Capability: noteThe name and description (PDF manipulation: extract, merge, fill forms, OCR, etc.) align with the concrete instructions which show use of pypdf, pdfplumber, reportlab, qpdf, poppler-utils, pytesseract, pypdfium2, and JS pdf libraries. This is proportionate to the stated purpose. However, forms.md repeatedly instructs running scripts from a local scripts/ directory (e.g., scripts/check_fillable_fields, scripts/extract_form_field_info.py) but the skill bundle does not include any scripts or code files — only documentation files — creating a mismatch between claimed functionality and provided artifacts.
Instruction Scope: concernSKILL.md and forms.md instruct the agent or user to run local python scripts, convert PDFs to images, generate validation images, and run fill scripts. Those actions require executing code and manipulating potentially sensitive documents on disk; that is expected for a PDF tool. The problem: the instructions direct use of specific local scripts (and strict multi-step workflows) that are not present in the package. If an agent followed the instructions verbatim it would either fail or attempt to obtain/execute external scripts (not specified). The docs also ask the user to visually inspect validation images and to run checks in precise order (explicit control flow). This missing-scripts gap is a scope/integrity concern.
Install Mechanism: noteNo install spec is provided (instruction-only), which is lower risk for arbitrary code being dropped during install. However, the instructions assume many third-party Python packages and CLI tools (pypdf, pdfplumber, pytesseract, pdf2image, poppler-utils, qpdf, pdftk, pypdfium2, etc.) that may not be installed. Because no install mechanism is specified, users or agents might attempt to pip/apt install these on-the-fly; that behaviour is not controlled by the skill and could lead to unexpected package installs. The absence of included scripts but heavy reliance on them is the main install/integrity issue.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. That matches the documented operations (local file manipulation, OCR, and CLI usage) which do not need external credentials. There is no apparent attempt to request unrelated secrets.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable with normal autonomous invocation allowed. It does not declare any actions that would modify other skills or system-wide agent settings. No elevated persistence or privileges are requested.