Convert to PDF
PassAudited by ClawScan on May 1, 2026.
Overview
The skill’s code matches its PDF-conversion purpose, but it sends chosen files to an external API and uses a bearer API key, so users should only use it with documents and credentials they are comfortable sharing with that provider.
Before installing or using this skill, confirm you trust Cross-Service-Solutions with the files you convert, keep the API key private, and do not set a custom base URL unless you are sure it is legitimate.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Documents submitted for conversion will leave the local environment and be processed by Cross-Service-Solutions.
The skill’s core workflow sends user documents to an external provider. This is disclosed and purpose-aligned, but it creates a data-sharing boundary users should understand.
accepting one or multiple input files from the user, uploading them to the Solutions API convert endpoint
Only upload documents appropriate for that provider, and treat returned download links as sensitive unless the provider documents otherwise.
Anyone who obtains the API key could potentially use the user’s Solutions API access.
The script uses a bearer API key from a command-line argument or environment variable. This credential use is expected for the service, but it is sensitive and should be protected.
ap.add_argument("--api-key", default=os.getenv("SOLUTIONS_API_KEY", ""), help="Solutions API key (Bearer token)")Provide the API key only through trusted channels, avoid pasting it into shared logs or transcripts, and rotate it if exposure is suspected.
A misconfigured or malicious base URL could receive the documents and bearer token intended for the legitimate provider.
The script allows the API base URL to be overridden. If pointed at an untrusted endpoint, the same upload flow would send files and the Authorization header there.
default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL), help="Base URL override"Use the default Cross-Service-Solutions URL unless the user explicitly trusts and intends the alternate endpoint.