Skillv1.0.0

ClawScan security

PDF 转 GetNotes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 5, 2026, 3:39 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (convert PDF pages to images, generate a summary, upload images and create a GetNotes note) but the package metadata, runtime instructions, and included files are inconsistent about credentials and configuration and contain a hard-coded API key/client-id in the SOP—this mismatch and embedded secret are concerning.
Guidance: This skill performs the expected PDF → images → upload → create-note flow, but note these issues before installing: - Credentials & config are not declared: The script reads GetNotes credentials from ~/.openclaw/openclaw.json, yet the registry lists no required env vars or config paths. Expect to provide sensitive API credentials in that file if you use it. - Embedded API key in docs: references/full_sop.md includes an apparent API key and client ID. Treat those as secrets; if they are live, they should be rotated and removed from the package. Do not assume those values are safe to keep. - Data exfiltration risk: PDF pages (your document contents) are uploaded to openapi.biji.com. Only run this on non-sensitive documents or after confirming the service's privacy/security stance. - Testing recommendation: Audit the included script (scripts/run_pdf_to_getnote.py) locally, test with a throwaway PDF and a dedicated/limited GetNotes API key, and verify that the credentials the skill reads are the ones you expect. - Remediation suggestions: Ask the publisher to (1) declare required config paths/env vars in the registry metadata, (2) remove any hard-coded credentials from documentation, and (3) make credential input explicit (e.g., instruct user to provide keys rather than embedding them). If you cannot validate these fixes, treat the skill as untrusted and avoid giving it real credentials or sensitive PDFs.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (PDF → GetNotes) matches the code and instructions. However, the registry metadata declares no required credentials or config paths, while SKILL.md and the script explicitly read GetNotes credentials from ~/.openclaw/openclaw.json. The skill therefore requires access to user credentials that are not declared in the metadata, which is an incoherence.
Instruction Scope: concernRuntime instructions and the script read a user config file (~/.openclaw/openclaw.json), convert local PDFs to images under /tmp, call an internal model (MiniMax-M2) for summaries, upload images to openapi.biji.com, and create notes. Reading the user's home config file and uploading PDF pages (potentially sensitive content) to a third-party endpoint are within the skill's functional scope but the SKILL.md also gives the agent authority to access files and credentials not declared in metadata — this lack of explicit declaration is a scope/consent issue.
Install Mechanism: okNo install spec; skill is instruction-only plus a Python script included. Nothing is downloaded or executed from unknown external URLs. Risk from install mechanism is low.
Credentials: concernThe code requires GetNotes API credentials (apiKey and GETNOTE_CLIENT_ID) stored in ~/.openclaw/openclaw.json, but the registry lists no required env vars or config paths. Worse, references/full_sop.md contains a seemingly real API Key and Client ID embedded in the file — embedding credentials in distributed docs is a serious issue (leak or stale credentials). The optional MINIMAX_API_KEY is mentioned but not declared. Overall, requested credential access is plausible for the task but is not properly declared and sensitive data appears hard-coded in the files.
Persistence & Privilege: okThe skill is user-invocable and not always-enabled. It does not request persistent platform-wide privileges, does not modify other skills, and does not set itself to always: true. Privilege level is appropriate.