ClawHub

pdf-skill

v1.0.0

Create, read, edit, merge, split PDF files. Supports text extraction, table extraction, form filling, watermarks, OCR, and HTML-to-PDF conversion.

0· 204·0 current·0 all-time
by@weaglewang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (create/read/edit/merge/split/OCR/HTML→PDF) match the instructions and libraries used (pypdf, pdfplumber, weasyprint, pytesseract, pdf2image, poppler). Required tools and packages are what you would expect for these tasks.
Instruction Scope
SKILL.md stays on-scope: it shows reading/writing local PDF files, table/text extraction, merges/splits, HTML-to-PDF conversion, and optional OCR/form-filling steps. It does instruct installing packages and system binaries. It can fetch external assets when using weasyprint or arbitrary file paths (thus may read any file the agent has filesystem access to), but it does not instruct exfiltration or access to unrelated system credentials.
Install Mechanism
This is an instruction-only skill (no install spec). It tells users to run 'pip install ...' and optionally 'brew install ...' — standard but potentially impactful because pip/Brew will execute third-party code on installation. No downloads from untrusted URLs or archive extraction steps are present.
Credentials
The skill declares no required environment variables, credentials, or config paths. The examples do show decrypt('password') as a usage pattern for encrypted PDFs, but there is no request for unrelated secrets or cloud credentials.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. The default ability for the model to call the skill autonomously remains (platform default) but is not accompanied by other concerning privileges.
Assessment
This skill appears coherent for PDF work, but it's from an unknown source and depends on third-party packages and system binaries. Before installing or granting agent access: 1) review and pin package versions (avoid blindly running pip install without versions); 2) install packages in a virtual environment or isolated container and do not run as root; 3) be aware the skill needs filesystem access to read/write PDFs (limit to safe directories); 4) optional OCR requires system tools (tesseract, poppler) which you must install separately; 5) weasyprint may fetch remote assets when converting HTML — avoid supplying untrusted URLs to prevent remote requests; and 6) if you need higher assurance, request a skill with a known homepage or source repository and signed releases. If you want, I can produce a vetted requirements list with pinned versions and minimal install commands to reduce risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk977nbv4nx6dcvmyw689m5k5ah83dcj2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments