Skillv0.1.4

ClawScan security

Compress pdf file · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 4, 2026, 2:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and declared dependencies align with a straightforward PDF compression utility and do not request unrelated credentials or external network access.
Guidance: This skill appears to do exactly what it says: compress a PDF using PyMuPDF. Before installing: (1) ensure the execution environment can install the listed Python dependencies or provides 'uv' as SKILL.md expects; (2) run it on non-sensitive PDFs first to confirm compression behavior and output quality; (3) be aware the tool writes the compressed file next to the input file (so verify file system permissions and that overwrites are acceptable); (4) review dependency versions in pyproject.toml if your environment has strict supply-chain policies. No credentials or network endpoints are requested by the skill.

Purpose & Capability: okThe name/description (PDF compression) matches the code and dependencies (PyMuPDF, pydantic, loguru). The code only operates on a user-specified PDF path and produces a compressed output in the same directory.
Instruction Scope: okSKILL.md and src/main.py limit actions to validating arguments, checking file existence, compressing the PDF, and printing a JSON result. There are no instructions to read other files, environment variables, or to send data to external endpoints.
Install Mechanism: noteThere is no install spec in the registry metadata, but a pyproject.toml lists dependencies and SKILL.md's entrypoint uses the 'uv' tool ('uv run src/main.py'). This is operationally consistent but slightly inconsistent with the 'required binaries: none' metadata — the runtime assumes an execution environment that can install/supply dependencies (uv and Python packages). This is not a security issue but is an operational/incoherence note.
Credentials: okThe skill requests no environment variables, no credentials, and accesses only the PDF path provided by the user. There are no unrelated or excessive secret requests.
Persistence & Privilege: okalways is false and the skill does not request any elevated or persistent platform privileges. It does not modify other skills or global agent configuration.