Skillv0.1.0

ClawScan security

Doc Ocr Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 1:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches an OCR tool, but there are inconsistencies and some risky installation/usage patterns (undisclosed config path for an API key, binary download recommendations, README install via curl|bash, and a mismatch between registry owner and referenced GitHub repo) that merit caution.
Guidance: This package looks like a real OCR tool, but take precautions before installing: - Confirm the source: README and install script point to github.com/scottkiss/..., but the registry owner ID differs — verify the correct repository and publisher before running anything. - Avoid piping remote scripts directly into bash. Instead download the install.sh, inspect it, and run it locally, or build from source (Go build) if possible. - The installer downloads a precompiled binary from GitHub releases with no checksum or signature; prefer building from source or ask the author for a checksum/signature to verify integrity. - If you use the Gemini engine, documents will be sent to a cloud service. Do not send sensitive documents unless you understand the privacy implications and trust the endpoint/service. - The skill expects ~/.ocr/config to hold your gemini_api_key but the registry metadata doesn't declare this—be careful where you store API keys and set restrictive file permissions (chmod 600 ~/.ocr/config). - Local engine dependencies (pip installs) run arbitrary Python code during installation; consider using a virtualenv or container. If you need higher assurance, request the upstream source repository and a verifiable release (checksums/signatures) or build the binary yourself from the provided source directory.

Review Dimensions

Purpose & Capability: noteThe declared purpose — OCR via Gemini (cloud) or local engines — matches the instructions and files: CLI, local engine pip requirements, and an optional Gemini API key. Nothing in the code or docs indicates unrelated capabilities, but the README references a GitHub repo/user (scottkiss) while the registry owner ID differs, which is an unexplained metadata mismatch.
Instruction Scope: concernSKILL.md instructs creating ~/.ocr/config with a gemini_api_key and running the downloaded binary. It also recommends installing Python packages for local engines. The instructions rely on a local config file (not declared in metadata) and explicitly support a cloud engine (Gemini) which will send documents to a remote service — this is scope-relevant but privacy-impacting and should be made explicit to users. The Quick Start guidance to compute SKILL_DIR from the path to SKILL.md is unusual but not harmful.
Install Mechanism: concernThere is no packaged install spec, but scripts/install.sh downloads a precompiled binary from a GitHub releases URL (https://github.com/scottkiss/doc-ocr/releases/...). Downloading binaries from GitHub releases is common but has risk: no checksum or signature verification is provided. README also suggests using curl | bash to fetch and run the install script, which elevates risk if the remote content is tampered with. The download host itself (github.com) is a known release host, so risk is moderate rather than high.
Credentials: concernSkill metadata declared no required env vars or config paths, but runtime instructions require a configuration file at ~/.ocr/config to hold gemini_api_key for the Gemini engine. This file-plus-secret requirement is not reflected in the registry metadata. Requesting a cloud API key (through a local config file) is proportionate to supporting a cloud engine, but the mismatch in declared vs. required config is an incoherence and potential surprise to users.
Persistence & Privilege: okThe skill does not request always-enabled or elevated platform privileges. It installs a binary into the skill directory and does not modify other skills or system-wide configs. Autonomous invocation is allowed by default (normal).