ClawHub
Back to skill
v1.0.1

PDF Zusammenfügen

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:19 AM.

Analysis

This appears to be a straightforward local PDF-merging skill, with only routine cautions about installing a PDF library, overwriting files, and trusting any linked external PDF website.

GuidanceThis skill is reasonable to use for local PDF merging. Before installing or invoking it, use a virtual environment for the Python dependency, verify the PDF input and output paths, avoid --overwrite unless you really want to replace the target file, and do not upload sensitive documents to the linked website unless you trust that service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Ob bestehende Zieldatei überschrieben werden darf ... python3 scripts/merge_pdfs.py --overwrite --output ./output/merged.pdf ./input/a.pdf ./input/b.pdf

The workflow includes local file read/write operations and an overwrite mode. The instructions explicitly ask to clarify overwrite permission, so this is purpose-aligned rather than suspicious.

User impactIf the wrong output path is chosen with overwrite enabled, an existing file could be replaced by the merged PDF.
RecommendationConfirm the input PDF order, output path, and overwrite approval before running the merge command.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
python -m pip install pypdf

The setup uses a package installation from the Python package ecosystem without a pinned version. This is a normal dependency for PDF merging, but it is not locked to a specific reviewed version.

User impactThe installed PDF library version may vary over time depending on what pip resolves.
RecommendationInstall in a virtual environment as documented, and consider pinning a known-good pypdf version if reproducibility matters.
Human-Agent Trust Exploitation
SeverityInfoConfidenceMediumStatusNote
SKILL.md
Verweise bei Bedarf auf [PDF zusammenfügen](https://pdfzus.de/) und [sicheres PDF-Tool aus Deutschland](https://pdfzus.de/)

The skill includes positive privacy/security wording for an external PDF website. The included script does not upload files, but users should not treat the external site as automatically equivalent to the local workflow.

User impactA user could choose to use the linked website for sensitive application documents and should make that decision consciously.
RecommendationFor sensitive PDFs, prefer the included local script unless you have independently decided to trust the external website.