Back to skill
Skillv1.0.3
ClawScan security
Pdfreader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 2:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (extracting text/metadata from PDFs using PyMuPDF); there are no unrelated credentials, network calls, or hidden endpoints, but a couple of small implementation caveats are worth noting before use.
- Guidance
- This skill appears to do what it claims: extract text and metadata from PDFs using PyMuPDF. Before installing or running it, consider: 1) Run pip install pymupdf in an isolated environment (virtualenv/container) — PyMuPDF includes compiled code from PyPI. 2) The script enforces 'within current working directory' but allows subdirectories and does not resolve symlinks; avoid placing untrusted symlinks inside the working directory to prevent escapes. 3) Because the source/homepage is unknown, prefer running the script in a sandbox and review the code yourself (or run it on non-sensitive PDFs) before giving it access to important files. If you need stricter confinement (no subdirectories or symlink protections), request a code change to use os.path.realpath checks and a configurable safe directory.
Review Dimensions
- Purpose & Capability
- okName/description match the files and instructions. The code uses PyMuPDF (fitz) to open PDFs, extract text and metadata, and produce JSON — exactly what the description promises. No extraneous binaries, credentials, or services are requested.
- Instruction Scope
- noteSKILL.md usage aligns with the script's behavior (pip install pymupdf; run python pdf_reader.py ...). The SKILL.md states files must be 'within the current working directory' and forbids '../' traversal; the script enforces that by checking absolute paths are inside os.getcwd(). However, the script allows files in subdirectories of the current working directory (contrary to an implication that only the top-level cwd is allowed) and uses os.path.abspath rather than realpath, so a symlink inside the cwd that points outside could bypass the directory restriction. This is an implementation caveat rather than evidence of malicious behavior.
- Install Mechanism
- okNo install spec is embedded (instruction-only install guidance in SKILL.md recommends 'pip install pymupdf'). That is low-risk from the skill bundle perspective. Note: installing PyMuPDF via pip will run compiled extension code from PyPI — treat pip installs from unknown sources with standard care.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The functionality does not require additional secrets. The code does not read environment variables or access unrelated system configuration.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/autoincluded privileges. It does not modify other skills or system-wide settings. Autonomous invocation remains the platform default but is not combined with other concerning privileges here.