Is pdf-extract safe?

https://clawhub.ai/Xejrax/pdf-extract

85
SAFE

pdf-extract is a minimal, documentation-only skill that provides usage instructions for the well-known pdftotext utility from poppler-utils. It contains no executable code, no hidden prompt injection, no git hooks, and no dependencies. The only notable observations are sensitive file accesses (.env, .aws/credentials) during installation, which appear attributable to the openclaw runtime rather than the skill itself. No outbound network activity was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (7)

MEDIUM AWS credentials file accessed during install -20

The openclaw runtime accessed /home/oc-exec/.aws/credentials during the skill installation process. While no outbound network connections were observed (meaning no data was exfiltrated), the file was opened and read. This appears to be openclaw gateway behavior rather than skill-initiated, but the access occurs in the context of installing this skill.

LOW .env file accessed during install -10

The install process read /home/oc-exec/.env. This is likely the openclaw runtime loading its own configuration, but it means environment variables (potentially containing secrets) are loaded into memory during skill installation.

LOW Auth profiles accessed during install -5

The openclaw runtime read agent auth-profiles.json during installation, which may contain authentication tokens or API keys.

INFO Clean SKILL.md with no injection vectors -5

The skill's SKILL.md contains only legitimate documentation: a YAML frontmatter block with metadata, usage examples for pdftotext, and an install command. No hidden instructions, persona manipulation, or obfuscated content detected.

INFO Suggests sudo dnf install -10

The skill instructs users to run 'sudo dnf install poppler-utils' which requires root privileges. This is standard practice for system package installation and installs a legitimate, well-known open-source package (poppler-utils). The user must explicitly approve this action.

LOW Temporary files created in /tmp during install -12

The install process created a gateway lock file in /tmp/openclaw-1000/ and JIT-compiled JavaScript modules in /tmp/jiti/. These are openclaw runtime artifacts and not skill-initiated, but represent filesystem activity outside the skill directory.

INFO Lock.json references different skill name -10

The .clawhub/lock.json references 'academic-research-hub' rather than 'pdf-extract', suggesting this installation environment was previously used for a different skill audit or the lock file is shared across audits. This is an environmental observation, not a skill defect.