Merge PDF
PassAudited by ClawScan on May 1, 2026.
Overview
The skill does what it claims, but users should know it uploads their selected PDFs to a third-party service and uses a Bearer API key.
Before installing, confirm you are comfortable sending the selected PDFs to Cross-Service-Solutions and handling the returned download URL as sensitive. Provide only the needed files, protect and rotate the API key as appropriate, and avoid using the base URL override unless you explicitly trust the alternate endpoint.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The contents of the selected PDFs will be shared with the third-party service, and the merged file is retrieved through a provider-supplied URL.
The core workflow sends the user's PDF files to an external provider for processing, which is disclosed and purpose-aligned.
uploading them to the Cross-Service-Solutions merge API
Use this only for documents you are comfortable sending to Cross-Service-Solutions, review the provider's privacy/retention practices, and keep the returned download URL private.
The agent or script must handle an API key that could allow use of the user's Cross-Service-Solutions account if exposed.
The skill needs a service credential to call the provider API. This is expected for the integration and the artifacts instruct not to echo or log the key.
The API requires an API key used as a Bearer token: - `Authorization: Bearer <API_KEY>`
Use a revocable or least-privileged API key if available, avoid pasting it into shared logs or transcripts, and rotate it if you suspect exposure.
If the base URL override is set to an unintended endpoint, selected PDFs and the Bearer token could be sent somewhere other than the named provider.
The script allows the API destination to be overridden by an argument or environment variable, which could change where PDFs and the Authorization header are sent if intentionally or accidentally configured.
ap.add_argument("--base-url", default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL), help="Base URL override")Leave `SOLUTIONS_BASE_URL` and `--base-url` unset unless you deliberately trust the alternate endpoint; maintainers should consider documenting or domain-restricting this override.