Convert to PDF
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: convert-to-pdf Version: 1.0.0 The skill's purpose is to convert documents to PDF via the 'Cross-Service-Solutions' API. The `SKILL.md` and `README.md` clearly describe this functionality and do not contain any prompt injection attempts to mislead the agent. The Python script `scripts/convert-to-pdf.py` implements the described file upload and polling logic, using the specified API endpoints at `api.xss-cross-service-solutions.com`. It handles API keys securely by using them in Authorization headers and does not attempt to exfiltrate unrelated sensitive data or perform malicious execution. The `allowed-tools` (http, files) are necessary for its stated purpose, and the `requests` dependency is standard.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Documents submitted for conversion will leave the local environment and be processed by Cross-Service-Solutions.
The skill’s core workflow sends user documents to an external provider. This is disclosed and purpose-aligned, but it creates a data-sharing boundary users should understand.
accepting one or multiple input files from the user, uploading them to the Solutions API convert endpoint
Only upload documents appropriate for that provider, and treat returned download links as sensitive unless the provider documents otherwise.
Anyone who obtains the API key could potentially use the user’s Solutions API access.
The script uses a bearer API key from a command-line argument or environment variable. This credential use is expected for the service, but it is sensitive and should be protected.
ap.add_argument("--api-key", default=os.getenv("SOLUTIONS_API_KEY", ""), help="Solutions API key (Bearer token)")Provide the API key only through trusted channels, avoid pasting it into shared logs or transcripts, and rotate it if exposure is suspected.
A misconfigured or malicious base URL could receive the documents and bearer token intended for the legitimate provider.
The script allows the API base URL to be overridden. If pointed at an untrusted endpoint, the same upload flow would send files and the Authorization header there.
default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL), help="Base URL override"Use the default Cross-Service-Solutions URL unless the user explicitly trusts and intends the alternate endpoint.