Back to skill
Skillv1.0.0
ClawScan security
PDFExtract Pull Text from PDFs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 9:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it provides a local PDF-extraction library, requests no credentials or external services, and its code and instructions match the stated purpose.
- Guidance
- This skill appears to do what it claims: local PDF text extraction. Before installing, consider: (1) optional dependency: install 'pdf-parse' for best results or ensure 'pdftotext' is available on the system; (2) it reads arbitrary file paths and creates a './pdf-output' directory — avoid running it with elevated privileges and do not feed highly sensitive or untrusted PDFs to parsers without sandboxing, since PDF parsers can have vulnerabilities; (3) there are no network calls or secret requests in the code, but if you add or modify the skill, re-check for any external endpoints. If you need stronger isolation, run the skill in a container or restricted environment.
Review Dimensions
- Purpose & Capability
- okName/description match the included code: a local PDF extraction utility. Optional dependency on the npm package 'pdf-parse' and a fallback to the system 'pdftotext' binary are coherent with extracting text from PDFs.
- Instruction Scope
- noteSKILL.md simply documents usage and features. The runtime code reads arbitrary file paths (pdfPath) and creates a local output directory ('./pdf-output'). Reading files is necessary for the stated task, but because the code accepts filesystem paths, be cautious about feeding untrusted paths or PDFs (parsers can have vulnerabilities).
- Install Mechanism
- okNo install spec is provided (instruction-only), and the shipped code uses only standard Node APIs and optionally an npm package. No remote downloads or obscure install URLs are used.
- Credentials
- okThe skill requires no environment variables, no credentials, and no config paths. File system access (read PDF files, create output directory) is proportionate to its function.
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable. It creates a local './pdf-output' directory but does not modify other skills or system-wide agent settings.