ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

dianju-ofd-tools

v1.0.0

Convert local PDF and OFD files to each other and extract text content from OFD files with temporary download links provided.

0· 109·0 current·0 all-time
bystmm@stmmer

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for stmmer/dianju-ofd-tools.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "dianju-ofd-tools" (stmmer/dianju-ofd-tools) from ClawHub.
Skill page: https://clawhub.ai/stmmer/dianju-ofd-tools
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install dianju-ofd-tools

ClawHub CLI

Package manager switcher

npx clawhub@latest install dianju-ofd-tools
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (convert local PDF/OFD and extract text) is plausible, but the runtime instructions require an external service (APP_ID, APP_KEY, API_URL) and an npm package (npx dianju-ofd-tools). The skill metadata claims no required env vars, binaries, or install, so the external-service dependency and credentials are not declared — a mismatch.
!
Instruction Scope
SKILL.md tells the agent/user to run npx to fetch/execute dianju-ofd-tools and to run ofd-tools CLI commands that will read absolute local file paths. It also references APP_ID/APP_KEY/API_URL and logging env vars (ENABLE_LOGGING, LOG_TO_FILE) that are not declared. The instructions imply network calls (uploading files to a remote DCS service and returning temporary download links) which goes beyond pure local conversion and affects data exposure/privacy.
!
Install Mechanism
There is no install spec in the registry entry, but the documentation explicitly instructs use of 'npx dianju-ofd-tools' (which would fetch and run code from npm at runtime) and examples call an 'ofd-tools' CLI. That means code would be dynamically downloaded/installed from an external package registry without declared provenance — higher-risk than an instruction-only, local-only tool.
!
Credentials
The doc requires APP_ID, APP_KEY, and API_URL (and mentions logging env vars) but the skill metadata lists no required environment variables or primary credential. Requesting service credentials and an API endpoint is reasonable only if the skill truly uses a remote conversion service; failing to declare them in metadata is an incoherence that prevents privilege review and increases risk of accidental credential exposure.
Persistence & Privilege
The skill does not request always:true and has no install spec that writes persistent config in the registry data. Autonomous invocation is allowed (platform default) but there is no sign the skill requests permanent presence or modifies other skills.
What to consider before installing
This skill's docs instruct you to run npx (which will fetch and execute code from npm) and to provide APP_ID/APP_KEY and an API_URL for a remote DCS service, yet the registry entry declares no credentials or install provenance. Before installing or running: 1) Confirm the authoritative source (homepage, GitHub repo, or npm package) and review that package's code and maintainers; 2) Do not share secret APP_ID/APP_KEY with an unknown service until you verify it; 3) Prefer a local-only tool if you must keep files private, or verify the remote service's privacy/security and where temporary download links are hosted; 4) Ask the publisher to include a proper install spec, declare required env vars in metadata, and clarify whether conversions happen locally or on a remote server. If you cannot verify provenance, avoid running npx or supplying credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fpedxwgmp1rwt3kfkvncgzx83hszc
109downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
stmm@stmmer
latest
Download
name: dianju-ofd-tools
description: An OFD document processing tool that can convert local PDF and OFD files to each other and extract content from OFD files.  
version:1.0.0  
email:support-ofd@dianju.com

OFD Tools Skill

Quick Start

npx dianju-ofd-tools --APP_ID=xxx --APP_KEY=xxx --API_URL=http://ip:port/DCS

APP_ID:appid

APP_KEY:appkey

API_URL:The system API address

Features

1. PDF to OFD Conversion

  • Tool Name: pdf_to_ofd
  • Description: Convert local PDF files to OFD format
  • Parameters: 
    {
  "filePath": "string" // Absolute path to local PDF file
}
  • Returns: Temporary download link for the generated OFD file

2. OFD to PDF Conversion

  • Tool Name: ofd_to_pdf
  • Description: Convert local OFD files to PDF format
  • Parameters: 
    {
  "filePath": "string" // Absolute path to local OFD file
}
  • Returns: Temporary download link for the generated PDF file

3. OFD Content Extraction

  • Tool Name: get_ofd_content
  • Description: Extract text content from local OFD files
  • Parameters: 
    {
  "filePath": "string" // Absolute path to local OFD file
}
  • Returns: JSON array of extracted text content

Usage Examples

Example 1: Convert PDF to OFD

ofd-tools pdf_to_ofd --filePath "/path/to/input.pdf"

Example 2: Convert OFD to PDF

ofd-tools ofd_to_pdf --filePath "/path/to/input.ofd"

Example 3: Extract OFD Content

ofd-tools get_ofd_content --filePath "/path/to/input.ofd"

Notes

  1. File Paths: Ensure the local file path is correct (absolute path recommended for non-current directory files).
  2. Temporary Links: The ofd_to_pdf and pdf_to_ofd services return temporary download links for converted files; check link validity before use.
  3. Link Expiry: OFD download links may expire after a set time; download the file promptly.
  4. File Integrity: Always verify the integrity of the generated OFD file before sharing or using it.
  5. Performance: Large files may take longer to process; avoid interrupting the conversion process.
  6. Logging: Enable logging with ENABLE_LOGGING=true for troubleshooting; logs can be output to files with LOG_TO_FILE=true.

Error Handling

  • File Not Found: Ensure the file path is correct and the file exists
  • Permission Denied: Check file permissions and ensure the tool has read access
  • Conversion Failed: Verify the input file is valid and not corrupted
  • Network Issues: Check internet connectivity when using external conversion services

Support

For issues or questions, contact support at support-ofd@dianju.com.

Comments

Loading comments...