Back to skill
Skillv0.1.0
VirusTotal security
PR's PDF Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:07 AM
- Hash
- c75eab7f49087835ab020786a6b39be0bfeb5b44249bab616159662b0060d633
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pdfagent Version: 0.1.0 The skill bundle provides extensive PDF manipulation capabilities but contains high-risk features that could be exploited via prompt injection. Specifically, the 'agent' and 'translate' commands in 'pdfagent/cli.py' allow for arbitrary command execution through the '--llm-cmd' parameter (processed in 'pdfagent/core/llm.py'), which is intended for local LLM integration but lacks sanitization against malicious instructions. Additionally, 'pdfagent/tools/html_to_pdf.py' uses 'urllib.request.urlopen' to fetch content from user-provided URLs, introducing a potential Server-Side Request Forgery (SSRF) risk.
- External report
- View on VirusTotal