Paper Translator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The PDF translation workflow is coherent, but first use can automatically run remote installer code and install an unpinned package, so it should be reviewed before use.
Before using this skill, consider pre-installing uv and pdf2zh-next from trusted, pinned sources instead of letting the script run remote installation automatically. Run it on non-sensitive PDFs first, and copy only the specific translated output files you intend to share through QQBot.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the translator can execute remote installer code as the user's account before processing the PDF.
On first use, the wrapper downloads a shell script from the network and executes it without a checksum, signature check, version pin, or separate confirmation.
curl -Ls https://astral.sh/uv/install.sh | sh;
Install uv through a trusted package manager ahead of time, or require explicit user approval plus checksum/signature verification before executing any remote installer.
A future, compromised, or unexpected version of the dependency could run with the user's local permissions.
The main translation dependency is installed dynamically without a pinned version or lockfile, so the reviewed artifacts do not determine exactly what code will run.
uv tool install pdf2zh-next;
Pin pdf2zh-next to a reviewed version, declare it in an install spec or lockfile, and avoid installing it automatically during normal skill execution.
If followed as written in a directory with multiple PDFs, the user could accidentally stage or send unintended documents.
The optional QQBot workflow stages PDFs for sending via a media channel, and the wildcard can include more PDFs than just the translated outputs.
cp *.pdf ~/.openclaw/media/qqbot/uploads/ ... Then send using `<qqmedia>/path/to/file.pdf</qqmedia>`
Copy only the specific generated files you intend to share, and verify the QQBot media path before sending.