Skillv2.0.0

ClawScan security

Doc Scan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 3:58 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (a local document-scanning script); there is no evidence of unrelated credential access, network exfiltration, or suspicious install behavior.
Guidance: This skill appears to do exactly what it claims: run a local document-scanning script. Before installing/using it, note that: (1) it requires Python and image libraries (opencv-python-headless, numpy, Pillow; img2pdf optional) which you must install in the runtime environment; (2) the SKILL.md path to the script may be relative to how skills are installed—verify the script path in your environment; (3) processing is local (no network I/O observed) but as with any tool, avoid feeding highly sensitive documents unless you trust the runtime environment; and (4) the skill is marked deprecated in favor of doc-process v4.0.0+, so prefer the newer package if available.

Review Dimensions

Purpose & Capability: okName/description (document scanning, dewarping, enhancement) align with the included script (doc_scanner.py) which performs edge detection, perspective warp, shadow removal, and output formatting. No unrelated credentials, services, or binaries are requested.
Instruction Scope: noteSKILL.md confines actions to reading the provided image, running the local Python scanner, and reporting results. It does not direct reading of unrelated files or environment variables. Minor: SKILL.md uses the path 'python skills/doc-scan/scripts/doc_scanner.py' while the manifest lists 'scripts/doc_scanner.py' — this is likely a small path convention mismatch but not indicative of malicious behavior.
Install Mechanism: okThere is no install spec (instruction-only with an included script). This is low-risk — nothing is downloaded or executed from external URLs. Note: the script requires Python packages (opencv-python-headless, numpy, Pillow, optional img2pdf); these are not installed automatically by the skill.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The code does not read environment secrets or network endpoints; all processing is local. Required packages are appropriate for image processing.
Persistence & Privilege: okalways is false; the skill does not request persistent/always-on privileges and does not modify other skills or system-wide agent settings. It runs a local script and writes output files only.