Ofd Reader skill

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears to locally convert user-selected OFD files to text or Markdown, with only a minor supply-chain note about an optional dependency installer.

This looks safe for local OFD-to-text/Markdown conversion. Be mindful that OFD files may contain sensitive document contents, and only run the optional dependency installer if you trust the package source.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

If you run the optional installer, you are trusting a changing third-party package; the main OFD extraction scripts appear designed to work without it.

Why it was flagged

The optional helper installs an unpinned third-party Python package, adding package-index supply-chain trust if the user chooses to run it.

Skill content

dependencies = [
        "ofdrw>=0.3.0",
    ] ... subprocess.check_call([sys.executable, "-m", "pip", "install", package])

Recommendation

Prefer using the standard-library conversion scripts directly, or pin and review the dependency before running the installer.