ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

large-document-reader

v1.0.2

Intelligently splits long academic or technical documents into chapters, generates structured JSON summaries for each, and creates a file system with a globa...

0· 422·4 current·4 all-time
by陈宽同学@mrchenkuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md claims splitting, per-chapter JSON summaries, and a MASTER_INDEX.md. The shipped Python scripts only extract chapter boundaries and write chapter files; there is no implementation of summary generation or index creation. Also, the scripts use absolute paths specific to a developer's machine (/Users/chenkuan/...), which is inconsistent with a generic document-processing skill.
!
Instruction Scope
The runtime instructions describe taking a user-provided document path and producing ./chapters/ and ./summaries/. The actual code ignores an external input and reads a hard-coded file from the developer's Desktop, then writes a chapters_info.json into a hard-coded workspace path. This is scope creep and unexpected file access not described in SKILL.md.
Install Mechanism
No install spec is provided (instruction-only plus two scripts). Nothing is downloaded or executed from remote URLs, which reduces supply-chain risk.
Credentials
No environment variables or credentials are requested (appropriate). However, the code directly accesses absolute local filesystem paths (a specific user's Desktop and home .openclaw workspace), which could inadvertently read sensitive local files if those paths exist in the runtime environment.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes files to disk (chapters_info.json and chapter .md files) within paths referenced in the scripts; it does not attempt to modify other skills or global agent settings.
What to consider before installing
Do not run this skill as-is. The package contains developer-specific absolute paths and does not implement the summary/index functionality claimed in the README. Before using: (1) Review and edit scripts to accept a user-supplied file path (avoid hard-coded paths), (2) change output locations to a safe, documented directory (relative to the current working directory), (3) verify there are no network calls or other unexpected I/O, and (4) test in a sandboxed environment with non-sensitive documents. If you don't want to edit code yourself, ask the author for a corrected release that implements summaries and index generation and removes hard-coded paths. The behavior looks like sloppy packaging rather than overtly malicious, but the inconsistencies and absolute paths are a privacy and operational risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97azww4padd2jkcsq9mjkty4n81y2v8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments