Skillv1.0.0

ClawScan security

Local File · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 2:31 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and manifest partially match its description (reading PDFs/DOCX/text) but the runtime behavior diverges from the SKILL.md: it does not enforce the 10MB limit, does not implement summarize/search operations, and it relies on an undeclared environment variable plus a hardcoded Windows path — these inconsistencies warrant caution.
Guidance: This skill partially implements a local-file reader but has several mismatches with its documentation. Before installing or enabling it: - Ask the author to explain and remove or parameterize the hardcoded path 'D:\个人' (it appears author-specific). - Require the skill to declare OPENCLAW_WORKSPACE in its metadata if it depends on that env var. - Require the code to enforce the documented 10MB size limit and to implement (or remove) summarize and search functionality described in SKILL.md. - Request path normalization and canonicalization (use path.resolve and fs.realpath) and stronger checks (not startsWith) to prevent accidental access outside allowed roots. - Audit npm dependencies (mammoth, pdf-parse) and consider running the skill in a sandboxed environment until the above fixes are made. If the author cannot justify the hardcoded path and undeclared env usage or cannot implement the documented safeguards, treat this skill as unsafe to grant file-access to.

Review Dimensions

Purpose & Capability: noteName/description promise: read, summarize, and search local text/markdown/JSON/DOCX/PDF under authorized paths and <10MB. The code implements text extraction for .txt/.md/.json/.docx/.pdf which aligns with the reading capability, but it does not implement 'summarize' or 'search' features. The presence of a hardcoded Windows path ('D:\个人') is author-specific and may be inappropriate for other users.
Instruction Scope: concernSKILL.md documents read/summarize/search commands and a 10MB file-size limit. index.js only reads and extracts text; it lacks any summarize or search logic and does not check file size. The code checks allowedRoots using a simple startsWith() test without normalizing/realpath resolution, which is a weak path restriction and could be bypassed or behave inconsistently across platforms.
Install Mechanism: okThere is no install spec (instruction-only style), which is low-risk for arbitrary downloads. package.json lists mammoth and pdf-parse as dependencies and package-lock.json is included. No install URLs or extract-from-URL steps are present.
Credentials: concernrequires.env is empty in registry metadata and SKILL.md, but index.js reads process.env.OPENCLAW_WORKSPACE as an allowed root — an undeclared environment dependency. No credentials are requested, which is appropriate, but the undeclared env var and the hardcoded 'D:\个人' path are disproportionate/unexpected and should be declared and documented.
Persistence & Privilege: okalways is false and there are no install hooks or code that modifies agent/system configuration. The skill does not request persistent privileges beyond reading files when invoked.