DocuScan

DocuScan appears to be what it claims: a local-first document OCR → markdown → PDF tool. Before installing or using it, do the following: - Manually install and verify prerequisites: ensure python3 is available and run 'pip install playwright' and 'playwright install chromium' yourself; the registry metadata does not declare these dependencies. Review the Playwright download step since it fetches a browser binary. - Review the two scripts (generate-pdf.py and generate-pdf.sh) — they explicitly disable JavaScript and block non-local requests in Playwright, which reduces exfiltration risk during PDF rendering. Keep those protections in place and avoid enabling JavaScript there. - Create the documents/ directory with strict permissions (chmod 700) and review any autogenerated filenames before opening them. The skill provides filename-sanitization rules, but verify they are enforced in your runtime. - Test with non-sensitive sample documents first to confirm behavior and that files stay local. - Only enable/use the Dashboard Companion Kit if you understand and securely supply any external DB/service credentials (the dashboard requires Supabase or similar and will need environment variables); follow the dashboard's security guidance (RLS, encryption at rest, private storage buckets). - Despite explicit prompt-injection defenses, be cautious: scanned documents can themselves contain adversarial text. The skill correctly warns to never treat scanned text as executable instructions — keep that policy enforced in your agent configuration. If you want higher assurance, run the skill in a restricted environment (isolated user account or container), verify file writes are constrained to the documents/ folder, and review any changes to your environment before trusting it with highly sensitive documents.

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.