Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ManualExpert
v1.0.0Professional translator for hardware and technical manuals delivering complete, page-by-page bilingual tables and Word exports for accurate DTP preparation.
⭐ 0· 199·0 current·0 all-time
byMUGENG SU@mugeng-su
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, the Markdown instructions, and the export script are consistent: the skill produces page-by-page bilingual tables and then converts Markdown to .docx. However, the skill mandates extracting "ALL visible text (PDF or images)" but provides no code, binaries, or instructions for PDF parsing or OCR (e.g., pdftotext, Tesseract, or a PDF library). That gap is an implementation incoherence (the skill promises extraction capabilities it doesn't provide).
Instruction Scope
SKILL.md instructs the agent to extract every visible string (including labels, footnotes, UI text) and to use as many tokens as necessary, and to never summarize or skip. While aligned with the stated goal, this absolute-completeness requirement increases the risk of inadvertently exposing sensitive data (serial numbers, PII, credentials embedded in manuals). The instructions do not limit or redact sensitive fields, nor do they specify how to load PDFs/images into the agent, which may encourage ad-hoc practices (uploading raw PDFs to external services) with data-exfiltration risk.
Install Mechanism
There is no install spec (lowest risk) and no network/downloads. The included Python script depends on the 'docx' (python-docx) package but the skill does not declare this dependency or how to install it; this will cause runtime errors unless the environment already has python-docx. No other installation or remote code downloads are present.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate to the stated purpose. There are no hidden credential requests in SKILL.md or the script.
Persistence & Privilege
always is false, the skill is user-invocable and not forced into every agent run. The skill does not modify other skills or system-wide settings. No elevated persistence or privileges are requested.
What to consider before installing
Key things to consider before installing or using this skill:
- Extraction gap: The skill requires extracting text from PDFs and images but provides no OCR/PDF tooling. Ask the author which tool/process they expect (pdftotext, pdfminer, Tesseract, upstream service) or provide a separate, audited extraction step. Without that, the agent may attempt fragile or unsafe ad-hoc extraction.
- Dependency: The export script needs the python-docx package. Ensure your environment has python-docx installed (or add an install step) before relying on the export step.
- Sensitive data risk: The policy to "extract ALL visible text" can surface sensitive information embedded in manuals. Only feed documents you have the right to process, and consider redacting or reviewing sensitive fields first.
- Operational safety: Test the skill on non-sensitive sample manuals to validate output formatting and pagination. Confirm whether OCR/embedding preserves layout you need for DTP.
- If you need assurance: request more details from the publisher — how PDF/image extraction is intended to work, an explicit dependency list (python-docx version), and a signed provenance or homepage. If these are not available, treat the skill as incomplete and use caution.Like a lobster shell, security has layers — review code before you run it.
latestvk97ar8ey952ydxdtgem56yk14x831dmh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.