Skillv0.1.0

ClawScan security

pdf · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 8:20 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource usage match its stated PDF-processing purpose and do not request unrelated credentials or persistence.
Guidance: This skill appears coherent and focused on PDF processing, but review a few practical points before installing or running it: - Dependency checklist: the scripts expect Python packages (pypdf, pdfplumber/pdf2image/pytesseract, reportlab, pillow, optionally pypdfium2) and command-line tools (poppler-utils like pdftoppm/pdftotext/pdfimages). The skill metadata does not declare these system/package requirements — ensure you install them in a controlled environment. - Privacy: the scripts operate on PDFs you provide; they do not phone home, but filled PDFs and extracted text may contain sensitive data. Run them on trusted machines and avoid sending sensitive documents to untrusted environments. - Code review: the included scripts monkeypatch a pypdf method and perform file writes/annotation insertion; those are reasonable for form handling but you should inspect/validate the code and test on non-sensitive samples first. - License: LICENSE.txt contains restrictive terms referencing Anthropic; confirm license terms are acceptable for your use case. If you need help enumerating or installing the exact Python packages and system utilities required, I can produce a requirements list and recommended installation commands.

Purpose & Capability: okName/description match the included code and docs (pypdf, pdfplumber, reportlab, pdf->image conversion, form filling, bounding-box validation). No unrelated env vars, binaries, or surprising capabilities are requested.
Instruction Scope: noteRuntime instructions and scripts stay within PDF processing (extracting text/tables, converting pages to images, filling forms, creating validation images). One minor mismatch: the docs and examples reference command-line tools (poppler-utils: pdftotext, pdfimages, pdftoppm) and Python packages (pdf2image, pytesseract) but the skill metadata does not declare required system binaries or package installation steps. Also the fillable-field script monkeypatches a pypdf internals method — expected for compatibility but worth reviewing before use.
Install Mechanism: okThere is no install spec that downloads arbitrary code; all code is included in the skill bundle. No external download URLs, package installs, or extract steps are present in the manifest.
Credentials: okThe skill requires no environment variables, credentials, or config paths and the scripts do not read secrets or external configs. All operations act on user-supplied PDF files and local intermediate files.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated privileges or modify other skills or system-wide settings. It is user-invocable and can be invoked autonomously (platform default).