Change permissions of PDF
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it advertises, but it sends your PDF to a third-party API and needs an API key, so use it only with documents and credentials you trust that service to handle.
Before installing or using this skill, make sure you trust the Cross-Service-Solutions API with the PDFs you upload and with the API key you provide. Keep the base URL set to the trusted default, handle the returned download link carefully, and rotate the API key if it is ever exposed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your PDF content is processed by a third-party service, and the resulting file is accessed through a returned download link.
The skill explicitly sends the user's PDF to an external provider and returns a provider-hosted download URL. This is purpose-aligned, but users should consider document sensitivity and URL sharing.
uploading them to the Solutions API ... returning the download URL for the updated PDF
Use this only for PDFs you are comfortable uploading to the stated provider, and avoid sharing the returned download URL beyond intended recipients.
Anyone with the API key may be able to use the associated Solutions API account according to that provider's permissions and billing model.
The skill needs a provider API key for delegated access. This is expected for the integration, but the registry requirements list no primary credential, so users should notice the credential requirement.
The API requires an API key used as a Bearer token: - `Authorization: Bearer <API_KEY>`
Provide the API key through a secure mechanism, do not paste it into shared logs or transcripts, and rotate it if you suspect exposure.
If the base URL is changed to an untrusted service, the PDF and API token could be sent somewhere other than the intended provider.
The script can be configured to send the PDF and bearer token to a non-default base URL. This is a common testing/configuration feature, but it should be used only with trusted endpoints.
default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL),
help="Base URL override"Leave the base URL at the default unless you intentionally use a trusted compatible endpoint.