PDF.co
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with the Maton API key can make PDF.co-related requests through this integration within the connected account context.
The skill requires a user API key to make authenticated requests. This is expected for the integration, but it grants delegated access that should be handled carefully.
All requests require the Maton API key in the Authorization header: ... Authorization: Bearer $MATON_API_KEY
Store the MATON_API_KEY securely, do not paste it into shared chats or logs, and revoke/delete unused connections when no longer needed.
If used carelessly, the skill could alter generated PDFs or related PDF.co resources, but the documented workflow expects user confirmation first.
The skill exposes potentially mutating PDF operations, but the artifact explicitly requires approval before create, update, or delete calls, keeping the behavior purpose-aligned.
Convert, merge, split, and edit PDFs with full document manipulation capabilities. ... All write operations require explicit user approval.
Before approving any write operation, verify the target document, selected connection, and intended output or deletion.
PDF URLs, document-processing requests, and extracted content may be handled by Maton and PDF.co rather than staying local.
Requests pass through a third-party gateway to PDF.co. This is disclosed and central to the skill, but it means document URLs, processing requests, and results may cross external service boundaries.
Maton proxies requests to `api.pdf.co` and automatically injects your API credentials.
Use the skill only with documents you are allowed to send to those services, especially for invoices, contracts, or other sensitive PDFs.