Compress PDF
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims, but it uploads the user’s PDF and uses a bearer API key with an external compression service.
Before installing, confirm that you trust Cross-Service-Solutions with the PDFs you plan to compress. Use a dedicated or least-privileged API key if possible, do not share the returned download URL for sensitive files, and avoid changing the base API URL unless the replacement endpoint is trusted.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any sensitive content inside the PDF will be shared with the external compression service, and the returned download URL may expose the compressed file depending on the provider’s access controls.
The core workflow sends the user-provided PDF to an external provider, which is disclosed and purpose-aligned but still crosses a data boundary.
uploading it to the Cross-Service-Solutions compression API
Use this only for PDFs you are comfortable uploading to Cross-Service-Solutions, and verify the provider’s privacy and retention terms before processing sensitive documents.
Anyone who obtains the API key may be able to use the associated Cross-Service-Solutions account or quota.
The skill requires delegated access to the provider API. This is expected for the service integration and the instructions explicitly say not to echo or log the key.
The API requires an API key used as a Bearer token: - `Authorization: Bearer <API_KEY>`
Provide only a key intended for this service, avoid pasting it into shared chats or logs, and rotate it if it may have been exposed.
If the base URL is changed to an untrusted endpoint, the PDF and API key could be sent somewhere other than the intended provider.
The helper script can redirect the upload and bearer-token request to a non-default API endpoint if the argument or environment variable is set.
ap.add_argument("--base-url", default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL), help="Base URL override")Do not set `SOLUTIONS_BASE_URL` or use `--base-url` unless you fully trust the endpoint; skill maintainers should document this override clearly or remove it if unnecessary.