ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PDFlux Test

v1.0.3

Convert unstructured documents into LLM-ready structured data. Supports PDF, Word, PPT, and images; extracts paragraphs, formulas, tables, charts, and other...

1· 88·0 current·0 all-time
bySube@sube-py
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the script uploads a local file to https://platform.paodingai.com via the pdflux service, polls parsing status, and downloads Markdown. Required binary (node) and primary env var (PD_ROUTER_API_KEY) are appropriate.
Instruction Scope
SKILL.md instructs the agent to run the bundled script and to ask for PD_ROUTER_API_KEY if missing. The instructions do not ask the agent to read unrelated files, keys, or system state, nor to send data to unexpected endpoints.
Install Mechanism
No external install/remote download is performed by the skill; the functionality is entirely in the included script (instruction-only install). No suspicious third-party URLs or archive extraction are used.
Credentials
Only one required credential (PD_ROUTER_API_KEY) is declared and used solely to authenticate requests to the stated endpoint. Optional env vars (PDFLUX_*) control parsing behavior and are relevant. No unrelated secrets or config paths are requested.
Persistence & Privilege
Skill is not always-included and does not request system-wide persistence or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with other privilege escalation indicators.
Assessment
This skill will upload any local file you give it to an external SaaS endpoint (https://platform.paodingai.com) using the PD_ROUTER_API_KEY you supply—do not provide that key unless you trust the service. Avoid uploading sensitive or confidential documents unless you have permission and have reviewed the service's privacy/retention policies. Confirm you run the bundled script path present in the package (scripts/upload_to_markdown.js) and ensure your Node runtime supports global fetch/FormData if running locally. If you want to prevent accidental automatic uploads, do not enable autonomous agent runs that might provide files without explicit human confirmation.
scripts/upload_to_markdown.js:21
Environment variable access combined with network send.
!
scripts/upload_to_markdown.js:88
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b4e7cz1e6qvb7e89k5jcpds83xrv2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binsnode
EnvPD_ROUTER_API_KEY
Primary envPD_ROUTER_API_KEY

Comments