Back to skill
Skillv1.0.0
ClawScan security
pdf-to-word · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 12:52 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, docs, and requirements all line up with its stated purpose (convert a local PDF file to a .docx); it requires only the pdf2docx Python library and does not request credentials or perform network operations.
- Guidance
- This skill appears coherent and small: it converts a provided local PDF file to .docx using the pdf2docx library. Before installing or using it: (1) confirm you want to install pdf2docx==0.5.8 from PyPI in a trusted environment (preferably a sandboxed/isolated runtime), (2) avoid uploading highly sensitive documents unless you control the runtime — the script runs on the host that executes it and will access the files you give it, (3) note that scanned/image-only PDFs likely need OCR (this skill does not do OCR), and (4) if you require extra assurance, review the small convert.py source and the pdf2docx package contents for any unwanted behavior.
Review Dimensions
- Purpose & Capability
- okName/description (PDF → Word) matches the included script and requirements. The only dependency is pdf2docx, which is appropriate for this functionality. No unexpected binaries, credentials, or unrelated privileges are requested.
- Instruction Scope
- okSKILL.md asks the user to provide a PDF file and describes conversion to .docx. The runtime instructions and the convert.py implementation operate on a local file path, print the output path, and do not reference other files, environment variables, or external endpoints. The docs explicitly warn that scanned PDFs/OCR are not supported.
- Install Mechanism
- okThere is no install spec (instruction-only skill) and a simple requirements.txt listing pdf2docx==0.5.8. Installing from PyPI is the expected way to obtain that library. No downloads from arbitrary URLs or archive extraction are present.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The script only needs access to the supplied PDF file and to write the output .docx.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent agent privileges or modify other skills or system settings. It runs on demand and has no autonomous or elevated persistence requirements.