Skillv0.0.3

ClawScan security

Pdf Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 3:21 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a local PDF/DOCX/ocr/tts toolkit; it does not request unrelated credentials or hidden network endpoints beyond the documented TTS service, but it can read/write arbitrary host paths and installs Python dependencies at runtime via uv.
Guidance: This skill appears to do what it says: local PDF/DOCX processing, OCR, and text→speech. Before installing or running it: 1) Be aware it operates on any filesystem path you provide — do not pass paths to secrets or system files you don't want read or written. 2) TTS uses edge-tts (network): avoid sending sensitive text to TTS because it will leave the host. 3) The tool uses 'uv run' to fetch Python packages at runtime (packages are listed but not version-pinned); if you require stricter supply-chain controls, run it in an isolated environment or pin/verify dependency versions. 4) Optional binaries (ffmpeg, tesseract, pdfimages, pandoc, libreoffice) are only needed for their respective features — install them only if you use those features. 5) If you want maximum safety, review the included source files locally and run the skill in a sandboxed container before granting it access to important host paths.

Review Dimensions

Purpose & Capability: okThe name/description match the included code: the scripts provide PDF metadata, extraction, merging, splitting, OCR, DOCX read/write, conversion, and TTS. The only required binary declared in the registry is 'uv', which matches the SKILL.md and the included wrapper (pdf-toolkit.sh) that executes 'uv run'. Optional system binaries (ffmpeg, tesseract, pdfimages, pandoc, libreoffice) are documented in SKILL.md and used only when those features are invoked.
Instruction Scope: noteSKILL.md instructs the agent to run 'uv run' on the included main.py and documents which system tools are optional. The skill explicitly states it will read/write any host path the caller supplies; the code resolves and opens absolute paths, so if a user provides an arbitrary system path the skill will read/write it. The only external network behavior described is edge-tts for TTS. This broad filesystem access is coherent for a file-manipulation tool but is a sensitive capability the user should be aware of.
Install Mechanism: noteThere is no formal install spec; this is run via 'uv run', and main.py includes a header listing Python dependencies. That means uv will fetch and install (or use) packages from the Python ecosystem at runtime. Dependencies are not pinned to specific versions in the header. Runtime installation from PyPI is expected for this skill's Python libraries, but it increases the attack surface compared to a purely local, pre-vetted bundle.
Credentials: noteThe skill requests no environment variables or credentials (primaryEnv none). That's proportionate. However, it will send TTS text to an external service (edge-tts) if TTS is used — SKILL.md warns about this. The code will access any filesystem path supplied by the caller (including ~ and absolute paths), which is necessary for the tool but can expose sensitive files if the user supplies them.
Persistence & Privilege: okalways:false and user-invocable:true; the skill does not request elevated/system-wide persistence and does not modify other skills or agent-wide configuration. It runs on demand and does not require automatic always-on privileges.