Skillv1.0.0

ClawScan security

crs-report-generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 2, 2026, 3:55 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (parsing text PDFs and producing Excel CRS reports); there are minor documentation inconsistencies but no requests for credentials, network endpoints, or suspicious behavior.
Guidance: This skill appears to do what it says: extract text from text-based PDFs and produce a beautified Excel CRS report. Before installing/using it, consider: - Run it offline or in an isolated environment when processing real customer PII because PDFs contain sensitive data. - Ensure your PDFs are text (not scanned images); the script uses pdfplumber and will not OCR images. - Verify the claimed '脱敏' behavior on sample data — the code does not implement clear automatic redaction, so you should manually inspect outputs before sharing. - Install and audit dependencies locally (pip install pdfplumber openpyxl) and review the script if you need guarantees about data handling (no network calls are present in the code). - Test with non-sensitive example files first and confirm output meets regulatory/compliance needs; final submissions should be reviewed by a qualified professional as the SKILL.md itself advises.

Review Dimensions

Purpose & Capability: noteThe script implements PDF text extraction (via pdfplumber) and Excel generation (openpyxl), which aligns with the skill description. Minor inconsistencies: SKILL.md lists BeautifulSoup in the tech stack but the included script does not import or use it, and the SKILL.md claims an automatic '信息脱敏' (data masking) feature while the script provides only placeholder defaults and does not perform explicit redaction logic.
Instruction Scope: noteSKILL.md instructs users to upload text-based PDFs and describes extraction and table generation; the script follows that flow and only reads the provided PDF and writes an XLSX. It does not reference unrelated system files or environment variables. The only scope concern is the claimed automatic desensitization: the runtime code does not contain explicit masking/sanitization routines beyond using placeholder defaults when fields are missing.
Install Mechanism: okNo install spec is provided (instruction-only skill) and the included script relies on common Python libraries. This is low-risk from an installation perspective; nothing is downloaded or executed automatically by an installer.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The code does not attempt to read secrets or external configs, which is proportionate to its stated functionality.
Persistence & Privilege: okalways is false and the skill does not request persistent privileges or modify other skills or system-wide settings. It runs locally against user-supplied PDFs and writes output files only.