Back to skill
Skillv1.3.0
VirusTotal security
Pdf Ocr Tool · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- acf72b58816a8700173505b3b4eb327b199e6b6ef8afdca50cb94d72cb73d114
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pdf-ocr-tool Version: 1.3.0 The skill is classified as suspicious due to two significant vulnerabilities. First, the `hooks/install-deps.sh` script attempts to fetch `pyproject.toml` and `uv.lock` from a GitHub repository (`https://raw.githubusercontent.com/nala0222/pdf-ocr-tool/refs/heads/master/`) if local copies are not found. This introduces a supply chain risk, as a compromise of the GitHub repository could lead to the installation of malicious dependencies. Second, the `utils/pdf_utils.py` module uses `subprocess.run` to execute external binaries (`pdftoppm`, `pdfinfo`) with `pdf_path` directly derived from user input (`args.input` in `ocr_tool.py`). This creates a potential shell injection vulnerability if the input PDF path contains malicious shell metacharacters, allowing arbitrary command execution.
- External report
- View on VirusTotal