Stirling PDF
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Stirling-PDF wrapper, but it can send chosen documents and an optional API key to the configured PDF server and runs curl locally.
This skill looks safe for its stated purpose if you trust the Stirling-PDF server you configure. Before installing, confirm STIRLING_PDF_URL points to your own trusted instance, use HTTPS for remote servers, protect STIRLING_API_KEY, and avoid processing documents you do not want that server to see.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill runs a local program to contact the PDF service; a compromised local environment or PATH could affect what is executed.
The wrapper invokes the local curl binary. This is expected for the skill's API-calling purpose and uses explicit arguments rather than a shell command string, but it is still local command execution.
const { spawn } = require('child_process'); ... const curl = spawn('curl', args);Use a trusted local environment, keep node/curl trusted, and review the script if it changes.
Any document you ask the skill to process can be read by the configured Stirling-PDF server.
Selected input files are posted as multipart form data to the configured Stirling-PDF server. This is purpose-aligned, but PDFs may contain sensitive content.
const BASE_URL = process.env.STIRLING_PDF_URL || 'http://localhost:8080'; ... args.push('-F', `fileInput=@${absPath}`);Use a trusted self-hosted instance, prefer HTTPS for remote servers, and only process files you intend to send to that server.
If the API key is exposed or sent to an untrusted server, others may be able to use your Stirling-PDF service.
The optional Stirling-PDF API key is sent as an authentication header to the configured server. This is expected for authenticated deployments.
const API_KEY = process.env.STIRLING_API_KEY || ''; ... args.push('-H', `X-API-KEY: ${API_KEY}`);Use a scoped/revocable key if available, avoid sharing the environment variable, and use HTTPS when the server is not local.
You have less external context about who maintains this wrapper.
The registry entry does not provide an upstream source or homepage for the wrapper. No remote installer or hidden dependency is shown, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none
Review the included script and compare the documented endpoints with the official Stirling-PDF documentation before relying on it.