ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sube Test

v1.0.4

Convert unstructured documents into LLM-ready structured data. Supports PDF, Word, PPT, and images; extracts paragraphs, formulas, tables, charts, and other...

0· 68·0 current·0 all-time
bySube@sube-py·duplicate of @sube-py/pdflux-test
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say: convert documents to Markdown via a remote parsing service. The script and SKILL.md only require node and PD_ROUTER_API_KEY and call https://platform.paodingai.com/openapi/... — these are proportionate and expected for that purpose.
Instruction Scope
SKILL.md and agents/openai.yaml explicitly require running the bundled scripts/upload_to_markdown.js, and the script's logic matches that contract (upload file, poll status, download markdown). Minor inconsistency: the script also reads environment variables PDFLUX_FORCE_UPDATE and PDFLUX_FORCE_OCR (defaulting to true) but these are not documented in SKILL.md; otherwise instructions do not access unrelated files, other env vars, or unexpected network hosts.
Install Mechanism
Instruction-only skill with a bundled Node script; no install spec or remote downloads. This minimizes on-disk installation risk.
Credentials
Only PD_ROUTER_API_KEY is required (primary credential) and is used exclusively to authenticate to the declared PDRouter endpoint. One optional env (PDFLUX_INCLUDE_IMAGES) is documented; the script additionally reads undocumented PDFLUX_FORCE_UPDATE and PDFLUX_FORCE_OCR but they are benign configuration flags rather than extra credentials.
Persistence & Privilege
always is false and the skill does not modify other skills or system settings. The agent may invoke the skill autonomously (default), which is expected for skills and not flagged on its own.
Assessment
This skill uploads the local file you point it at to the PaodingAI/PDRouter service (https://platform.paodingai.com) using the PD_ROUTER_API_KEY you provide — so only install/use it if you trust that service and are comfortable sending the document (and its contents) to that endpoint. The token grants access to the PDRouter API, so keep it secret and consider using a scoped/ephemeral key if possible. Note the script will write Markdown to stdout and optionally to a file; it may include embedded image/base64 data if you enable that. If you handle sensitive documents, test with non-sensitive data first and review the bundled script (scripts/upload_to_markdown.js) yourself; the script also reads undocumented config flags PDFLUX_FORCE_UPDATE and PDFLUX_FORCE_OCR, which are innocuous toggles but worth knowing about.
scripts/upload_to_markdown.js:21
Environment variable access combined with network send.
!
scripts/upload_to_markdown.js:88
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dnj6kwbhd9335ahz5135yxs83xkk5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binsnode
EnvPD_ROUTER_API_KEY
Primary envPD_ROUTER_API_KEY

Comments