ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stirling PDF

v1.0.4

Self-hosted REST API for comprehensive PDF manipulation including merge, split, convert, OCR, compress, sign, redact, and secure PDFs.

2· 823·4 current·4 all-time
by@angusthefuzz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (self-hosted PDF REST API wrapper) aligns with the included files and runtime instructions. Declared required binaries (node, curl) are necessary for the provided CLI wrapper and curl-based requests. No unrelated credentials, binaries, or install behavior are requested.
Instruction Scope
SKILL.md instructs the agent to run the included Node wrapper which performs multipart POSTs of user-specified files to the configured STIRLING_PDF_URL endpoints. The script only reads files explicitly passed as arguments and environment variables STIRLING_PDF_URL / STIRLING_API_KEY. This is within scope for PDF operations, but it does mean any file you pass will be uploaded to whatever URL is configured (default localhost). If the URL is changed to a remote host, that can result in exfiltration of sensitive files — the behavior is expected but must be considered.
Install Mechanism
There is no install spec (instruction-only with one local script), so nothing is downloaded or written by an installer. Risk from installation is low because no arbitrary remote install URLs or package pulls are present.
Credentials
No required environment variables or secrets are forced by the registry metadata. The script uses two optional env vars (STIRLING_PDF_URL, STIRLING_API_KEY) which are appropriate for a REST API client. The number and type of env vars are proportional to the skill's purpose.
Persistence & Privilege
always is false and the skill does not request system-wide config changes or persist credentials. The skill can be invoked autonomously by the agent (platform default) but that is not itself unusual; consider restricting autonomous use if handling sensitive documents.
Assessment
This skill appears to be what it says: a small Node wrapper that uploads files to a Stirling-PDF REST API. Before installing or enabling it, verify the source (no homepage provided) and consider these practical precautions: - Ensure STIRLING_PDF_URL points to a trusted instance (localhost or your own server). If you point it to a remote or third-party URL, any file you process will be uploaded there. - If your PDFs contain sensitive data, avoid setting a remote URL or disable autonomous invocation so the agent cannot call the skill without your explicit command. - If you will use an API key, store it in a secure secret store and confirm the key's scope on your Stirling-PDF instance. - Inspect the included script (scripts/pdf.js) yourself — it's short and readable — or run it in an isolated environment before granting broader access. - Because the skill's provenance is unknown (no homepage/source repo), prefer onboarding it in a sandbox or test account and confirm behavior against a local Stirling-PDF instance. If you need higher assurance, request a version published by a verifiable maintainer or from an official project repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ede3tpaxcx0mrf4w0a24cmd8158sz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📄 Clawdis
Binsnode, curl

Comments