Skillv1.0.9

ClawScan security

Somark Document Parser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 1:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it parses documents by calling SoMark's API and only requests the SoMark API key; nothing in the files indicates unrelated or hidden behavior.
Guidance: This skill sends any parsed files (and your SOMARK_API_KEY) to somark.tech to do the work — that is the intended behavior. Before installing: 1) Confirm you trust somark.tech and are comfortable sending documents (do not send highly sensitive PII or secrets unless allowed by your policy). 2) Verify how the script receives the API key (environment vs CLI) and store keys with least privilege and rotation. 3) Check where output files are written and whether temporary uploads are removed if you are worried about disk leakage. 4) Test on non-sensitive documents first to confirm behavior and billing characteristics. If you need the parser to run fully offline or to avoid external uploads, this skill is not appropriate.

Purpose & Capability: okSkill name/description match the included code and instructions: the Python script and SKILL.md upload files and POST them to somark.tech for parsing. No unrelated credentials, binaries, or services are requested.
Instruction Scope: noteInstructions direct the agent to save uploaded files locally and run the provided somark_parser.py to convert files to Markdown/JSON — this is expected. Minor omission: the CLI examples in SKILL.md do not explicitly show how the SOMARK_API_KEY is passed to the script (the metadata declares the env var). The script (truncated) posts files and form data to SoMark endpoints; it writes output files to disk (output directory). Review handling of temporary files if you are concerned about sensitive data left on disk.
Install Mechanism: okNo install spec is included (instruction-only plus a bundled script). No remote downloads or extract steps. The only network targets are somark.tech API endpoints shown in the script.
Credentials: okOnly SOMARK_API_KEY is required and is the primary credential — this matches the stated purpose. Note: the API key and file contents are transmitted to somark.tech as part of normal operation, so the key will be sent over the network and is required for the service.
Persistence & Privilege: okSkill does not request persistent/always-on privileges and does not modify other skills or system-wide settings. It reads/writes files only in the specified output directory.