ClawHub

Convert to PDF

v1.0.0

Convert one or multiple documents to PDF by uploading them to Cross-Service-Solutions, polling until completion, then returning download URL(s) for the converted PDF(s) (or a ZIP if multiple).

0· 1.3k·1 current·1 all-time
by@crossservicesolutions
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the code: the script uploads files to a 'Solutions' API, polls for completion, and returns download URLs. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md and script clearly require an API key (SOLUTIONS_API_KEY or --api-key). That omission is an incoherence: a convert-to-pdf skill legitimately needs the service API key but the metadata doesn't advertise it.
Instruction Scope
SKILL.md and the script stay within the stated purpose: they request files from the user, upload them to the external API, poll job status, and return output URLs. The instructions explicitly require an API key and explicitly state not to echo it. The skill will transmit user files to a third party (the Solutions API), which is expected behavior for this functionality but is an important privacy consideration.
Install Mechanism
There is no install spec (instruction-only skill), so nothing arbitrary is downloaded or installed by an installer. A Python script is included in the bundle (requests dependency), which is normal for a CLI-style helper. Risk is limited to executing included code; no remote install of unknown binaries is present.
!
Credentials
The SKILL.md and script require an API key (SOLUTIONS_API_KEY or --api-key) and accept a base URL override, but the registry metadata lists no required env vars or primary credential. Asking for an API key is proportionate to the described purpose, but the metadata omission is misleading and increases risk (users may not realize they must provide a secret). The skill will transmit user files and the API key (as a Bearer token) to the configured host; ensure the key is not reused across unrelated services.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or global agent settings. It runs on invocation and does not demand persistent elevated privileges.
What to consider before installing
Before installing: (1) Understand that this skill uploads your files to a third-party service (https://api.xss-cross-service-solutions.com); do not send sensitive documents unless you trust the provider and have reviewed their privacy/TOS. (2) The skill requires an API key but the registry metadata fails to declare it — expect to provide SOLUTIONS_API_KEY or pass --api-key. (3) Verify the service hostname and owner; the package has no homepage and an unfamiliar owner ID, so confirm the provider is legitimate (the 'xss' substring in the domain is unusual and worth verifying). (4) Test with non-sensitive files first and consider creating a throwaway API key scoped only for this purpose. (5) If you will run the included Python script, inspect it (it's small and readable) and run it in a sandbox or isolated environment; note it sends files and a Bearer token to the configured base URL. (6) If you need the skill to be auditable, ask the publisher to update registry metadata to declare the required env var and to provide a homepage or official docs/terms. If you cannot verify the provider or are uncomfortable uploading files, do not install/use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9750m27jknr3g6afbx0syvqq580trea

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments