PDF Reader
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run a local script and PDF/OCR utilities on the selected PDF file.
The skill operates by asking the agent to run a local shell script. That is disclosed and central to extracting/OCRing PDFs, but it is still local code execution.
Run the bundled script via `exec`: bash <skill-dir>/scripts/pdf-extract.sh /path/to/file.pdf
Use the skill only for PDFs you intend to process, and keep execution/output paths scoped to a temporary or workspace directory.
If --auto-install is used, the host may install or update poppler/tesseract packages.
The script can optionally install system packages through the host package manager. This is disclosed and gated by --auto-install, but it can change the local environment and may require elevated privileges.
if ! $AUTO_INSTALL; then ... "Or re-run with --auto-install to install automatically." ... apt-get update -qq ... apt-get install -y -qq poppler-utils ... tesseract-ocr
Prefer pre-approved/manual installation of dependencies, or explicitly review and approve any use of --auto-install.
A mistaken output path could replace an existing file with extracted PDF text.
The output path is user/agent controlled and the script writes extracted text there. This is expected for a save-to-file option, but an incorrect path could overwrite an accessible file.
if [[ -n "$OUTPUT" ]]; then
cat > "$OUTPUT"Write output to a new temporary or workspace file unless the user explicitly asks for another destination.