ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI-powered PDF organizer with smart naming

v1.0.0

AI tool that categorizes PDFs by topic, extracts metadata, renames files smartly, and organizes them into hierarchical folders automatically.

0· 98·0 current·0 all-time
byYiming Liu@yxl184
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes a PDF organizer that uses OpenAI/Kimi APIs to analyze content and rename/move files — that capability aligns with the name. However the registry metadata declares no required credentials or config paths while the instructions explicitly require an OpenAI or Kimi API key (configured in config.json). This mismatch between declared requirements and the runtime instructions is incoherent.
!
Instruction Scope
The instructions tell the agent/user to run python pdf_organizer.py and reference multiple project files (modules/, requirements.txt, setup.py) but there are no code files in the package — the skill is instruction-only. The SKILL.md also implies sending extracted PDF text to external APIs (OpenAI/Kimi) but gives no guidance on privacy, truncation, or redaction. It also instructs storing API keys in config.json (plaintext), which is insecure. Overall the runtime steps could expose arbitrary PDF contents to external services and the skill gives broad discretion without safety guidance.
Install Mechanism
There is no install specification (instruction-only), which is lower risk from an installation perspective. However, SKILL.md references installing dependencies (requirements.txt, setup.py) and running a local Python script that does not exist in the package — this is inconsistent and means the skill as-published is incomplete or misleading.
!
Credentials
Registry metadata lists no required environment variables or primary credential, but the SKILL.md requires an OpenAI or Kimi API key. The skill also suggests storing that key in config.json rather than using a declared/secure environment variable. Requesting an external API key for analyzing user documents is proportionate to the feature, but the omission from the declared requirements and the insecure storage recommendation are problematic.
Persistence & Privilege
The skill does not request persistent/always-on privileges and uses default autonomous invocation behavior. It does not declare modifications to other skills or system-wide settings. No concerns about persistence or elevated platform privileges were found.
What to consider before installing
Before installing or running this skill, ask the publisher for the source code or a repository link (the package currently contains only SKILL.md but claims multiple Python files). Verify where and how the API key is supplied (prefer environment variables or a secrets manager over plaintext config.json). Be aware the skill will send extracted PDF text to external APIs (OpenAI/Kimi) — do not run it on sensitive or confidential documents until you’ve reviewed the code and data handling. If you want to try it safely: request the code, run it from a reviewed repo on an isolated test machine or VM with dummy PDFs, confirm exact network endpoints used, and ensure the skill supports a local/offline mode or a provider with data-use/retention controls. If the author cannot produce source or justification for the missing metadata, treat the package as incomplete and avoid giving it access to real documents or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk976fdvv3ph1hqkwnqg5y4stq583298b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments