Back to skill
Skillv1.0.0
ClawScan security
joe-tester · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 9:29 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requested capabilities align with a document requirements-analyzer, but it relies on unspecified local libraries/tools (OCR/PDF/etc.) and allows writing output to user-specified paths — you should confirm tool availability and be cautious about saving sensitive documents.
- Guidance
- This skill appears to do what it says: extracting and structuring requirements from common document types. Before installing or invoking it, consider: 1) Confirm the runtime environment has the necessary libraries/tools (pandas, python-docx, an OCR/image-reading tool, and a PDF text extractor) or provide installation instructions — otherwise processing (especially images/PDFs) may fail. 2) Only upload documents you are comfortable sharing with the agent; the skill will read entire files to extract content. 3) When asking the skill to 'save to <path>', ensure the agent is allowed to write to that path and avoid overwriting sensitive files. 4) If you need stricter privacy, ask for a local-only processing mode or confirm no external network calls will be made (the SKILL.md does not mention any network endpoints).
Review Dimensions
- Purpose & Capability
- okThe name/description (requirements analysis from Excel/PNG/TXT/PDF/DOCX) match the SKILL.md: it describes extracting functional/non-functional requirements and producing structured docs. No unrelated credentials, binaries, or external services are requested.
- Instruction Scope
- noteRuntime instructions stay within the stated purpose (reading provided documents, extracting requirements, producing output). They do instruct writing output to user-specified paths when the user asks — which is expected, but implies file I/O privileges. The SKILL.md references an unspecified image_read tool and generic 'PDF提取工具' without naming concrete OCR/PDF libraries or fallbacks, leaving ambiguity about required local capabilities.
- Install Mechanism
- noteThis is instruction-only (no install spec), which is low risk. However, the instructions mention specific libraries/tools (pandas, python-docx, an image_read/OCR tool, PDF extraction tools) but do not declare dependencies or provide install guidance — the environment must already have these; otherwise the skill may fail.
- Credentials
- okNo environment variables, credentials, or config paths are requested — appropriate and proportional for a document-processing skill.
- Persistence & Privilege
- okalways:false and default invocation settings are used. The skill does not request permanent agent-wide presence or modify other skills. It may write files to user-specified locations only when the user asks, which is expected behavior.