ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

hwp-reader

v1.0.0

Extract and analyze text, tables, images, and metadata from Korean HWP and HWPX documents, supporting both legacy and modern formats.

0· 404·2 current·2 all-time
by@mupengi-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md clearly describes how to extract text from legacy HWP (pyhwp/hwp5) and HWPX (zip+XML). That matches the declared purpose. Minor mismatch: the registry metadata lists no required binaries or dependencies, but the instructions require Python 3.9+ and the pyhwp package (hwp5). This is an omission in the manifest rather than a capability mismatch.
Instruction Scope
Runtime instructions are narrowly focused: run small python snippets to extract text/images/metadata from a provided .hwp or .hwpx file. They reference only the target file(s) and standard Python libraries (zipfile, xml.etree). There are no instructions to read unrelated system files, environment secrets, or exfiltrate data to external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec or code to fetch. That lowers installation risk. The SKILL.md does recommend installing pyhwp but provides no automated install instructions; the author also lists a local install path (a user-specific /Users/... path), which is informational and not a remote download.
Credentials
The skill declares no environment variables or credentials, which is appropriate. Note: it implicitly requires Python 3.9+ and the pyhwp package; these requirements are present in the documentation but not in the registry metadata. Also the listed dependency path appears to be the author's local installation path — harmless but out-of-place for a distributable skill.
Persistence & Privilege
Skill does not request permanent presence (always:false) and uses normal agent invocation. It does not attempt to modify other skills or system-wide configuration.
Assessment
This skill appears to do what it says: extract text/images/metadata from .hwp/.hwpx files. Before installing/using it, consider: (1) The skill is instruction-only and expects Python 3.9+ and the pyhwp (hwp5) package — the registry metadata did not declare these requirements, so ensure your agent environment has them installed. (2) The dependency path shown in the README is the author's local path and not an installer; verify and install pyhwp from a trusted source (PyPI or the project's official repo) if you intend to run the provided commands. (3) The skill will read and print document contents — avoid using with sensitive/confidential documents unless you trust the execution environment. (4) If you want stronger guarantees, ask the author to add an explicit install spec (or steps) and to avoid hardcoded user-specific paths. Overall this is coherent and not suspicious, but verify dependencies and run in an isolated/trusted environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cj2hzqgem1vjye8tev7q55n8204jq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments