PDF Extract
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for ComPDF document processing, but users should notice that it uploads documents to ComPDF and may use or locally save a ComPDF API key with consent.
Before installing, confirm you are comfortable using ComPDF Cloud for the documents you plan to process. Do not upload highly sensitive PDFs or images unless external processing is acceptable, save the API key only on trusted machines, and double-check any conversion or editing operation before running it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken operation or parameter choice could produce altered documents, such as deleted pages or removed watermarks.
The skill exposes a broad set of document-processing operations beyond simple extraction, including operations that alter output documents. The instructions frame these as user-requested actions, so this is disclosed and purpose-adjacent rather than hidden.
Supports 50+ document processing operations... User requests to edit PDF pages (e.g., "merge these two PDFs", "delete page 3", "rotate PDF")... User requests to add or remove watermarks from PDF
Review the selected operation and parameters before processing, and keep an original copy of important documents.
Anyone with access to the saved key file may be able to use the associated ComPDF API quota or account privileges.
The skill needs a ComPDF API key and can persist it locally with user consent. This is expected for the service integration, but the key may control quota or account access.
ask the user for their ComPDF API Public Key... ask whether they would like to save it locally for future sessions... write the key to `config/public_key.txt`... Include the user-provided API key in the `x-api-key` header
Save the API key only on trusted devices, delete `config/public_key.txt` when no longer needed, and rotate the key if it may have been exposed.
If you process an encrypted document, its password may be sent to the external ComPDF service along with the file.
For encrypted PDFs, the referenced API can receive a document password as form-data. This is purpose-aligned for opening encrypted files, but the password is sensitive.
The `password` field is independent of `parameter`, passed directly as form-data
Only provide document passwords when necessary, avoid reusing those passwords elsewhere, and do not upload highly confidential encrypted files unless you accept the risk.
PDFs or images may contain confidential information, and their contents will be processed outside your local environment.
The skill sends user-selected documents to an external provider. The upload is clearly disclosed and gated on explicit confirmation.
Your file will be uploaded to ComPDF's servers (api-server.compdf.com or api-server.compdf.cn) for processing... Only proceed with the upload after receiving explicit user confirmation.
Upload only files you are comfortable sharing with ComPDF, review the linked privacy policy, and avoid highly sensitive documents unless the external processing risk is acceptable.