Make PDF safe
PassAudited by ClawScan on May 1, 2026.
Overview
The skill does what it claims, but users should know their PDF and API key are sent to an external Solutions API.
This skill appears coherent and purpose-aligned. Before installing or using it, confirm you trust the Solutions API provider with the PDFs you plan to process, keep the API key private, and avoid changing the base URL unless you intentionally trust the alternate endpoint.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any PDF processed with this skill is shared with the external Solutions API, and the returned download URL may provide access to the converted file.
The skill clearly discloses that the PDF is sent to an external provider and that the result is accessed through a returned URL.
uploads it to the Solutions API, polls the job status until it is finished, then returns the download URL
Only use this for PDFs you are allowed to upload to that provider, and verify the provider's privacy, retention, and URL-access controls for sensitive documents.
If the API key is exposed or sent to the wrong endpoint, someone else could potentially use the user's Solutions API access.
The skill needs a provider API credential. This is purpose-aligned and includes a rule not to echo or log the key, but users should still treat it as an account secret.
The API requires an API key used as a Bearer token: `Authorization: Bearer <API_KEY>`
Provide the API key only when needed, avoid pasting it into shared chats or logs, and rotate it if it may have been exposed.
A mistaken or untrusted base URL setting could send the PDF and API key somewhere other than the documented Solutions API.
The helper script allows the API endpoint to be overridden. That can be useful for configuration/testing, but it also controls where the PDF and bearer token are sent.
ap.add_argument("--base-url", default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL), help="Base URL override")Use the default endpoint unless you intentionally trust an override, and consider documenting or validating allowed base URLs.
If the helper script is used, the installed dependency version may vary across environments.
The helper depends on requests with a lower-bound version rather than an exact pinned version. This is common, but exact pinning would improve reproducibility.
requests>=2.32.0
For stricter supply-chain control, pin dependencies or provide a lock file.