Is nano-pdf safe?

https://clawhub.ai/steipete/nano-pdf

82
SAFE

nano-pdf is a minimal, benign skill that wraps a PyPI CLI tool for natural-language PDF editing. The skill repo contains no executable code, no prompt injection patterns, and no exfiltration attempts. The primary risk is the implicit trust in the third-party nano-pdf PyPI package, which is installed at runtime and gains shell-level execution privileges.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (4)

MEDIUM Third-party PyPI package dependency -20

The skill requires installing nano-pdf from PyPI via uv. The skill author does not control the PyPI package contents. A supply chain compromise of the nano-pdf package would grant arbitrary code execution within the agent's environment when the agent runs nano-pdf commands.

LOW CLI invocation with user-controlled input -5

The skill instructs the agent to pass natural-language instructions directly as CLI arguments to nano-pdf. If nano-pdf improperly handles shell metacharacters in its arguments, this could enable command injection. This risk depends on the nano-pdf implementation and how the agent runtime invokes the command.

INFO Runtime reads sensitive paths during init -10

Filesystem monitoring detected reads of .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json. These are attributable to the OpenClaw agent runtime initialization rather than the skill itself, as they occur at a uniform timestamp during the environment setup phase before skill execution.

INFO PDF editing could modify sensitive documents -5

When active, this skill gives the agent the ability to silently modify PDF content. A malicious actor combining this skill with others could alter financial documents, contracts, or reports. However, this is the skill's intended purpose and the SKILL.md appropriately advises sanity-checking output.