Nested PDF Merger
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears benign: it only instructs the agent to use a named PDF-merging command, with user-confirmed paths, though the external tool should be installed from a trusted source.
Before installing, verify that the nestedpdfmerger package is the one you intend to trust. When using the skill, provide explicit input and output paths and consider --dry-run to confirm merge order. The artifacts do not show credential use, persistence, or hidden behavior.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong or compromised package is installed, the agent would run that local tool when merging PDFs.
The skill delegates its core behavior to an external package installed outside the reviewed artifact set. This is disclosed and central to the skill’s purpose, but package provenance still matters.
Expected installation command: ```bash pip install nestedpdfmerger ```
Install nestedpdfmerger only from the intended trusted package/repository and review the package source if your PDFs are sensitive.
The agent may run the nestedpdfmerger binary to read PDFs from the chosen folder and create the requested output file.
The skill explicitly instructs the agent to invoke a local CLI. This command execution is expected for the PDF-merging purpose and is scoped to user-provided input and output paths.
Expected CLI entrypoint: ```bash nestedpdfmerger INPUT_DIR -o OUTPUT.pdf [options] ```
Use explicit input and output paths, run --dry-run when checking merge order, and avoid pointing it at folders that contain PDFs you do not want processed.