Convert to PDF
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Documents submitted for conversion will leave the local environment and be processed by Cross-Service-Solutions.
The skill’s core workflow sends user documents to an external provider. This is disclosed and purpose-aligned, but it creates a data-sharing boundary users should understand.
accepting one or multiple input files from the user, uploading them to the Solutions API convert endpoint
Only upload documents appropriate for that provider, and treat returned download links as sensitive unless the provider documents otherwise.
Anyone who obtains the API key could potentially use the user’s Solutions API access.
The script uses a bearer API key from a command-line argument or environment variable. This credential use is expected for the service, but it is sensitive and should be protected.
ap.add_argument("--api-key", default=os.getenv("SOLUTIONS_API_KEY", ""), help="Solutions API key (Bearer token)")Provide the API key only through trusted channels, avoid pasting it into shared logs or transcripts, and rotate it if exposure is suspected.
A misconfigured or malicious base URL could receive the documents and bearer token intended for the legitimate provider.
The script allows the API base URL to be overridden. If pointed at an untrusted endpoint, the same upload flow would send files and the Authorization header there.
default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL), help="Base URL override"Use the default Cross-Service-Solutions URL unless the user explicitly trusts and intends the alternate endpoint.