PDF Organizer Skill 安全扫描报告 — 低风险 | ClawSafe

20 /100

PDF Organizer Skill

AI-powered PDF organization tool that automatically categorizes and organizes PDF files by topic using GPT analysis

Documentation-only skill describing a PDF organizer tool with no implementation files present to analyze for malicious behavior.

技能名称PDF Organizer Skill

分析耗时32.0s

引擎pi

✓

可以安装

If implementation files are added, verify that API keys are stored securely (e.g., environment variables) and not exfiltrated. Review subprocess usage for shell commands.

安全发现 2 项

严重性	安全发现	位置
低危	Documentation mismatch potential - No implementation to verify 文档欺骗 SKILL.md references multiple implementation files (pdf_organizer.py, modules/, config.json, requirements.txt, setup.py) but none exist in the skill directory. Cannot verify actual behavior matches documentation. `Project Structure references pdf_organizer.py, modules/, config.json, requirements.txt` → Implement files before deploying or clearly mark as documentation-only skill	`SKILL.md:1`
低危	API key storage in config.json 凭证窃取 SKILL.md indicates API keys should be stored in config.json. While not malicious itself, storing credentials in config files is less secure than environment variables and could be risky if the file is committed to version control. `openai_api_key: Your API key (required)` → Prefer environment variable-based API key storage and document .gitignore for config.json	`SKILL.md:34`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md describes reading PDFs from input_pdfs/ folder
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md describes renaming files and creating folder structure in organized_pdf…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md declares OpenAI/Kimi API integration for content analysis
环境变量	`NONE`	`NONE`	—	No environment variable access described in docs
命令执行	`NONE`	`NONE`	—	No shell execution mentioned

目录结构

1 文件 · 2.4 KB · 54 行

Markdown 1f · 54L

└─ 📝 SKILL.md Markdown 54L · 2.4 KB

安全亮点

✓ No malicious patterns detected in documentation

✓ No network exfiltration endpoints mentioned

✓ No credential harvesting behavior described

✓ File operations are appropriate for stated use case (PDF organization)

✓ Hierarchical organization and file naming are legitimate functionality

✓ Dry-run mode suggests careful design with rollback capability