ClawHub

Remove password from PDF

v1.0.0

Remove password protection from a PDF by uploading it (with its current password) to the Solutions API, polling until completion, then returning a download URL for the unlocked PDF.

0· 1k·1 current·1 all-time
by@crossservicesolutions
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description match the code and SKILL.md: it uploads a password-protected PDF and the current password to a remote Solutions API and polls for a result. However the registry metadata lists no required environment variables or primary credential, while both SKILL.md and the script require an API key (SOLUTIONS_API_KEY or passed via --api-key). That metadata omission is an incoherence that affects trust and automated vetting.
!
Instruction Scope
The SKILL.md and the included script limit their actions to: read the supplied PDF file, accept the current password, upload both to the external API, poll job status, and return the download URL. That scope is consistent with the stated purpose. The important concern is that the instructions explicitly send both the sensitive PDF and its password to an external service (api.xss-cross-service-solutions.com) — expected for this functionality but a significant privacy/security risk if the service/operator are untrusted or malicious.
Install Mechanism
There is no install spec (instruction-only), lowering install risk. A small Python script and requirements.txt (requests) are included; running it requires installing requests. No download-from-unknown-URL or installer actions are present in the manifest.
!
Credentials
The skill requires an API key (used as a Bearer token) according to SKILL.md and the script (env var SOLUTIONS_API_KEY or --api-key), but the registry metadata lists no required env vars and no primary credential. This mismatch is concerning because it hides that a credential is necessary. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or system-wide settings, and does not request persistent privileges. Model invocation remains allowed (platform default).
What to consider before installing
This skill will upload your protected PDF and its current password to a third-party API and return a URL for the unlocked file. Before installing or using it, consider: 1) The registry metadata does not declare the API key requirement even though the SKILL.md and script do — that should be fixed or explained. 2) There is no homepage or verifiable vendor information (owner is unknown); confirm the legitimacy of https://login.cross-service-solutions.com and the API domain (api.xss-cross-service-solutions.com) before sending sensitive documents or passwords. 3) If the PDF contains sensitive data, avoid using an untrusted third-party service — prefer local tools that remove PDF passwords offline. 4) If you must use this skill, test it with non-sensitive files first, and only provide an API key scoped and revocable for this service. 5) Additional information that would reduce concern: a verifiable project homepage or vendor identity, registry metadata updated to declare SOLUTIONS_API_KEY as the primary credential, and independent confirmation that the service handles uploaded files/passwords according to acceptable privacy/security policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bz0v8nwmdyptdw6t5ahj0c180t787
1kdownloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@crossservicesolutions
latest
Download

remove-password-from-pdf

Purpose

This skill removes password protection from a PDF by:

  1. accepting a password-protected PDF from the user,
  2. accepting the current password from the user,
  3. uploading both to the Solutions API,
  4. polling the job status until it is finished,
  5. returning the download URL for the unlocked PDF.

Credentials

The API requires an API key used as a Bearer token:

  • Authorization: Bearer <API_KEY>

How the user gets an API key:

Rule: never echo or log the API key.

API endpoints

Base URL:

  • https://api.xss-cross-service-solutions.com/solutions/solutions

Create remove-password job:

  • POST /api/33
  • multipart/form-data parameters:
    • file (PDF-Datei) — required — PDF file
    • password (Password) — required — string (current password to unlock)

Get result by ID:

  • GET /api/<ID>

When done, the response contains:

  • output.files[] with { name, path } where path is a downloadable URL.

Inputs

Required

  • PDF file (binary)
  • Current password (password, string)
  • API key (string)

Optional

  • None

Output

Return a structured result:

  • job_id (number)
  • status (string)
  • download_url (string, when done)
  • file_name (string, when available)

Example output:

{
  "job_id": 654,
  "status": "done",
  "download_url": "https://.../unlocked.pdf",
  "file_name": "unlocked.pdf"
}

Comments

Loading comments...