ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenDataLoader PDF Parser (乌贼版)

v1.0.0

PDF parsing tool for AI/RAG. Convert PDF to Markdown, JSON, HTML with layout preservation, bounding boxes, and image extraction. Use when you need to extract...

0· 48·0 current·0 all-time
by@wtjjacobj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, CLI examples, and included test script all align with a PDF parsing CLI. The SKILL.md states the package is installed via pipx and bundles a PDFBox JAR — that is coherent for a Java-based PDF tool. Minor inconsistency: registry metadata lists no homepage/source while SKILL.md includes a GitHub homepage URL, which should be verified.
Instruction Scope
Runtime instructions only run a local CLI (opendataloader-pdf) against local PDF files and write output to local directories. They do not instruct reading unrelated system files or environment variables. Ambiguity: the '--hybrid' / 'Hybrid AI mode: docling-fast' option could imply contacting an external AI service or model; SKILL.md gives no details about network calls, remote endpoints, or required API keys.
Install Mechanism
No install spec in the registry; SKILL.md recommends 'pipx install opendataloader-pdf'. Installing from PyPI/pipx runs package install scripts which may execute code at install time and will pull the package from wherever it's published. The SKILL.md claims a GitHub homepage, but the registry shows source unknown — confirm the exact pip package name and origin before installing.
Credentials
The skill declares no required environment variables, no secrets, and no config paths. That is proportionate for a local PDF parsing CLI. However, the hybrid/AI option appears under-specified: if it uses a remote service it would typically require API credentials (none are declared), so verify whether additional credentials are needed at runtime.
Persistence & Privilege
The skill does not request persistent/autostart privileges (always:false). It is user-invocable and allows autonomous invocation (default) which is normal. It does not declare modifications to other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (convert PDFs locally) but there are a few red flags to check before installing: 1) Verify the pip package source — confirm the exact PyPI package and/or GitHub repo matches the SKILL.md homepage and is from a trusted maintainer. 2) Inspect the package contents (and bundled JAR) before installing, or install into an isolated environment/container to observe behavior. 3) Ask the maintainer or check docs what '--hybrid' (docling-fast) does and whether it calls remote services or requires API keys — if it does, confirm what endpoints and credentials are used. 4) Because pipx runs code at install time, avoid installing on sensitive/production hosts until you've validated the package. If you want, provide the actual pip package name or the source repo and I can check it for further inconsistencies.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b26en7qdzq9d9nxbzeckgpn83sj0g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments