Skillv1.0.1

ClawScan security

Llamaparse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 8:36 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it requires a LlamaCloud API key and a Python SDK, the provided scripts and instructions map to that purpose (uploading documents to LlamaCloud for parsing), and there are no unrelated credentials, unusual network endpoints, or covert behaviors in the bundle.
Guidance: This skill will upload whatever files you point it at to LlamaCloud for parsing — ensure you trust that service before sending sensitive documents. The only secret it needs is LLAMA_CLOUD_API_KEY; treat that key like any API credential (scoped, rotated, and not shared). If you need higher assurance, review the llama-cloud package source (GitHub link is provided in the references) or run the scripts in an isolated environment. Note: the scripts will optionally fetch presigned image URLs (using httpx) to save screenshots; httpx isn't required but will be used if installed. Verify billing/usage on your LlamaCloud account if you plan to batch-process many files.

Review Dimensions

Purpose & Capability: okName/description, required env var (LLAMA_CLOUD_API_KEY), required binary (python3), the declared Python package (llama-cloud), SKILL.md, and the two scripts all align with a document-parsing integration against LlamaParse/LlamaCloud.
Instruction Scope: noteInstructions and both scripts explicitly upload local documents to the LlamaCloud API and save returned outputs; this matches the described purpose. Users should note that uploading sends their documents to an external service (expected for this skill). The scripts may optionally fetch presigned image URLs using httpx (the code gracefully handles httpx not being installed).
Install Mechanism: noteInstall spec installs the Python package 'llama-cloud' (kind: uv). Installing a package is expected for a Python SDK; 'uv' as an install kind is uncommon in other ecosystems but the package referenced corresponds to the documented SDK. Installing from PyPI/GitHub is a normal moderate-risk operation — verify the package source if you require higher assurance.
Credentials: okOnly LLAMA_CLOUD_API_KEY is required and declared as the primary credential. That is proportional for a cloud parsing integration. No other unrelated secrets or system config paths are requested.
Persistence & Privilege: okalways is false, the skill does not request permanent/system-wide changes, and it does not modify other skills or agent configs. The scripts only read files provided by the user and write outputs to specified output directories.