Pdf Smart Tool Cn
v1.1.0PDF智能处理工具 v2.1 | PDF Smart Tool. 支持PDF转换、OCR识别、合并拆分、数字签名、批量处理、水印添加、加密解密。触发词:PDF、转换、识别。
⭐ 5· 5.9k·46 current·47 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims local PDF/OCR/signature functionality which reasonably needs pdftotext, tesseract, and ghostscript (listed in SKILL.md metadata). However the registry-level requirements reported no required binaries or environment variables — this mismatch is an incoherence that could hide assumptions about available tooling or runtime behavior.
Instruction Scope
SKILL.md is an instruction-only spec describing user interactions and examples but is vague about implementation: it does not state where files are stored/processed, whether processing is local or uploaded to external services, nor how sensitive artifacts (private keys, enterprise seals, CA certificates) are supplied or protected. That open-endedness grants broad discretion to any runtime implementation and is a data-exfiltration risk if the agent chooses to upload files.
Install Mechanism
No install spec and no code files are included (instruction-only). This minimizes disk-write/install risk. The SKILL.md does require certain binaries, but no installer is provided.
Credentials
No environment variables or credentials are declared, yet features like '数字证书 (CA digital certificate)' and '企业电子签章' imply access to sensitive private keys or enterprise credentials. The skill does not explain how those keys should be provided or protected, which is disproportionate and risky for handling sensitive secrets.
Persistence & Privilege
always is false and there is no install/persistence behavior in the package. The skill does not request to modify other skills or system-wide settings.
What to consider before installing
This skill is plausibly a PDF tool but has gaps you should verify before installing: 1) Confirm where file processing happens — local on your machine or uploaded to a remote server. Avoid sending sensitive PDFs (contracts, IDs) until you know. 2) Ask the maintainer how private keys/certificates and enterprise seals are supplied and stored; never provide private keys unless you trust the implementation and transport/storage. 3) Resolve the metadata mismatch: SKILL.md lists required binaries (pdftotext, tesseract, ghostscript) but the registry entry shows none — ensure the runtime will have those trusted binaries installed from official sources. 4) Prefer testing with non-sensitive documents first. 5) If you need signing or enterprise features for production, require private deployment or clear documentation about endpoints, encryption, and credential handling. 6) If no homepage or author verification exists, treat this as higher risk and consider alternatives with clear source and installation instructions.Like a lobster shell, security has layers — review code before you run it.
latestvk97241vtsm8f3ec6aracd45tvh82arww
License
MIT-0
Free to use, modify, and redistribute. No attribution required.