Skillv0.1.0

ClawScan security

pdf · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 6:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions generally match a PDF processing toolkit, but there are a few inconsistencies (missing referenced script, odd cross-skill/marketing text, and license/owner mismatch) that deserve review before use.
Guidance: This skill appears to implement legitimate PDF form and annotation workflows and contains no obvious network exfiltration or obfuscated code. Before installing or using it: 1) Inspect the missing/odd references — SKILL.md references python scripts/generate_schematic.py and an external 'scientific-schematics' skill and 'Nano Banana Pro' which are not included; search your environment for that script or remove those instructions if you don't want cross-skill calls. 2) Verify licensing: LICENSE.txt references Anthropic proprietary terms while the skill source/owner is unknown; confirm you have rights to use the code. 3) Install required Python packages (pypdf, pdf2image, pillow, pdf2image's poppler dependency) from trusted sources and run the scripts on non-sensitive test PDFs first. 4) Because the skill will process local documents, avoid feeding sensitive PDFs until you are satisfied the workflow and outputs are correct. If you need assurance about the missing generate_schematic.py or the 'Nano Banana Pro' references, ask the publisher for clarification or decline installation.

Review Dimensions

Purpose & Capability: okThe files and scripts (pypdf, pdf2image conversion, bounding-box checks, field extraction, annotation/filling) align with the declared purpose of PDF manipulation and form filling. The included helper scripts implement the workflows described in forms.md and SKILL.md.
Instruction Scope: concernSKILL.md instructs the agent to run a script python scripts/generate_schematic.py and to use an external 'scientific-schematics' skill and 'Nano Banana Pro' for diagram generation, but no generate_schematic.py is present in the repository. SKILL.md also contains strong prescriptive language about always generating schematics by default — this is scope creep (non-essential to PDF processing). Otherwise, the forms.md instructions are detailed and the scripts referenced (convert_pdf_to_images.py, extract_form_field_info.py, fill_pdf_form_with_annotations.py, etc.) exist and operate locally without network calls.
Install Mechanism: okNo install specification is provided (instruction-only with included scripts). That is low-risk; nothing in the package pulls arbitrary remote archives or installs third-party code automatically. That said, the code depends on Python libraries (pypdf, pdf2image, pdf2image's poppler dependency, PIL, pdf2image/poppler) which the user must install; those are normal for this functionality.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The scripts operate on local files and do not attempt to read unrelated system files or credentials.
Persistence & Privilege: okalways is false and the skill does not request permanent presence or modify other skills or system-wide settings. Scripts operate on input/output files only.