ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Pdf

v1.0.0

Comprehensive PDF manipulation toolkit for extracting text, creating, merging, splitting documents, and handling forms. And also 50+ models for image generat...

0· 210·0 current·0 all-time
by@alvisdunlop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description advertise a PDF manipulation toolkit, but the SKILL.md contains generic SkillBoss API documentation exposing 50+ model types (chat, image, video, TTS, STT, etc.). The declared requirements (a single SKILLBOSS_API_KEY) and instructions do not match a narrowly scoped PDF tool — the skill appears to be a general model‑proxy rather than a focused PDF manipulator.
!
Instruction Scope
Runtime instructions tell the agent to call https://api.heybossai.com/v1 with curl and to route arbitrary model runs (including uploading/embedding file contents as base64 in examples). That means user documents or audio could be sent to an external, unspecified provider. The instructions give broad discretion to call many model endpoints rather than providing narrowly scoped PDF operations or explicit file-handling safeguards.
Install Mechanism
No install spec and no code files beyond documentation — the skill is instruction-only and does not write artifacts to disk during install. This lowers local install risk.
!
Credentials
Only SKILLBOSS_API_KEY is required (which is coherent for a single proxy API), but that one key grants broad access to many model providers via the SkillBoss service. The skill has unknown source/homepage and will expose data to a third party; requiring a single API key for a multi-provider proxy is potentially disproportionate for a PDF-focused capability.
Persistence & Privilege
always:false (default) and there are no required config paths or claims to modify other skills or system settings. The skill does not request persistent elevated privileges.
What to consider before installing
This skill's name and description promise PDF utilities, but the instructions point to a generic third‑party model API (api.heybossai.com) that can run many model types and would see any data you send. Before installing: verify the vendor (heybossai.com), read its privacy/TOS and where data is routed, and consider the risk of uploading sensitive documents. Use a disposable or scoped API key, test only with non-sensitive sample files, and confirm billing/costs. If you only need offline or local PDF processing, prefer a dedicated local tool or a well-known vendor rather than an unknown model-proxy service.

Like a lobster shell, security has layers — review code before you run it.

latestvk97271kxm6qpcwhfwgmqwgmk4d82rs5y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments