ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Paperless Api

v0.1.0

Upload and categorize documents using the Paperless-ngx API. Use for automating document management tasks with your Paperless-ngx instance.

0· 16·0 current·0 all-time
by@thistine
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included code and instructions: the SKILL.md and scripts/upload_document.py both implement document upload and basic categorization via the Paperless-ngx API. No unrelated services, binaries, or credentials are requested.
Instruction Scope
Instructions are narrowly scoped: run the included Python script with --host and --api_key and optional metadata. Notable issues: the script disables TLS certificate verification (requests.post(..., verify=False)), and the SKILL.md demonstrates passing the API key on the command line (which can expose secrets in process lists or shell history). These are security/hygiene concerns but not evidence of malicious or incoherent behavior.
Install Mechanism
There is no install spec (instruction-only with a small helper script). No downloads or package installs are performed by the skill, so there is minimal install-time risk.
Credentials
The skill requires an API key and host to function, but these are provided as command-line arguments rather than declared environment variables. The requested credentials are proportional to the stated purpose. Consider that passing secrets on the CLI is less safe than using environment variables or a secrets store.
Persistence & Privilege
The skill does not request persistent platform privileges (always is false). It does not modify other skills or system configuration and does not require elevated/system-wide access.
Assessment
This skill does what it claims: it uploads documents to Paperless-ngx. Before installing/using it: (1) review the script yourself (it is included) to verify it meets your needs; (2) avoid passing API keys on the command line—use environment variables, a config file with tight permissions, or another secrets mechanism; (3) fix or remove verify=False so TLS certs are validated (or ensure you use a trusted HTTPS endpoint); (4) confirm the host URL points to your Paperless instance and not an unknown remote host; (5) be aware the script prints response JSON to stdout—don't run it with sensitive output redirected where others can read it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971e6677cksw5sd21md21dfjh84aj48

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments