PDF转Word
AdvisoryAudited by VirusTotal on Mar 29, 2026.
Overview
Type: OpenClaw Skill Name: pdf-to-word-vei Version: 1.0.0 The skill bundle describes a document conversion service that lacks authentication (as explicitly stated in references/api.md) and relies on shell-executed tools such as LibreOffice and pdftoppm (SKILL.md). While these tools are necessary for the stated functionality, the combination of no authentication and shell-based processing constitutes a significant security vulnerability (potential RCE or unauthorized access) if the service is exposed or handles untrusted input. The documentation also references a hardcoded local path (/home/vei/...) which may not be applicable to all users.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may be safe if the local converter service is trusted, but the provided package does not prove what that service actually does.
The skill depends on a local doc-converter project that is not included in the provided files, so its code and dependency provenance cannot be reviewed here.
PDF 转 Word 转换技能,基于 doc-converter 项目实现。... /home/vei/.openclaw/workspace/doc-converter/
Use only with a trusted local doc-converter installation, and inspect or publish the referenced service code and install requirements.
If the service is reachable by other local processes or exposed on a network, others could potentially call conversion or history endpoints.
The documented local API has no authentication and includes file upload, download, history, and delete endpoints. This is common for localhost tools, but it should not be exposed beyond the intended local user.
- **Base URL**: `http://localhost:3000/api/v1` - **认证**: 无 ... 无需认证,所有接口均可直接调用。
Keep the service bound to localhost, firewall it from other users/networks, and require user confirmation before uploads, deletes, or history access.
Sensitive documents may remain in local storage or conversion history after the conversion completes.
Uploaded PDFs and converted outputs are stored locally and tracked in task/file records until expiration, which matters because PDFs may contain sensitive content.
File 记录创建,文件存储到 storage ... 字段 ... storagePath ... expiresAt
Avoid uploading highly sensitive PDFs unless you trust the local storage, and provide or use cleanup controls for old files and task history.