Skillv0.1.0

ClawScan security

Pdf To Image Preview · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 7:43 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it claims (convert PDF pages to images) and asks for no credentials or installs, though documentation and example paths contain minor inconsistencies that are likely sloppy rather than malicious.
Guidance: This skill is internally coherent and appears to implement the promised PDF → image functionality without requesting credentials or network access. Before installing: (1) note the docs mismatch — the usage guide mentions a different script name and an --html-output option that the included script does not implement; treat this as a documentation bug. (2) Install pymupdf from a trusted source (pip from PyPI) and run the script in a sandbox or with non-sensitive PDFs first. (3) Respect the 100-page limit and ensure you have write permissions and sufficient disk space. (4) If you need HTML preview generation, either implement it yourself or ask the publisher for the correct script/version. If any unexpected network activity appears when running the script, stop and investigate.

Review Dimensions

Purpose & Capability: noteThe name/description match the included script: scripts/convert_pdf_to_images.py converts PDF pages to PNG/JPG and supports DPI and ZIP output; the SKILL.md correctly declares the pymupdf dependency. Minor inconsistency: references/usage-guide.md and some examples mention a different script name (pdf_to_images.py) and an --html-output option that is not implemented in the provided script. This appears to be documentation drift rather than a functional mismatch with required capabilities.
Instruction Scope: noteRuntime instructions are limited and explicit: run the included Python script with input/output paths and optional --zip. The script only reads the specified PDF and writes image files/ZIP in the output dir. There are no instructions to read unrelated files, environment variables, or to send data externally. The only concern is the documentation examples that reference an unimplemented --html-output option and a different script path, which could confuse users but do not expand runtime scope.
Install Mechanism: okNo install spec is provided (instruction-only plus bundled script). The only dependency is PyMuPDF (pymupdf) which is a normal Python package—no arbitrary downloads, extract actions, or external installers are present in the bundle.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The script operates on local files only, so the requested environment access is minimal and proportionate to its stated purpose.
Persistence & Privilege: okThe skill does not request always: true, does not persist configuration, and does not modify other skills or global agent settings. It runs on-demand and has no autonomous persistence requirements.