Merge PDF
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The contents of the selected PDFs will be shared with the third-party service, and the merged file is retrieved through a provider-supplied URL.
The core workflow sends the user's PDF files to an external provider for processing, which is disclosed and purpose-aligned.
uploading them to the Cross-Service-Solutions merge API
Use this only for documents you are comfortable sending to Cross-Service-Solutions, review the provider's privacy/retention practices, and keep the returned download URL private.
The agent or script must handle an API key that could allow use of the user's Cross-Service-Solutions account if exposed.
The skill needs a service credential to call the provider API. This is expected for the integration and the artifacts instruct not to echo or log the key.
The API requires an API key used as a Bearer token: - `Authorization: Bearer <API_KEY>`
Use a revocable or least-privileged API key if available, avoid pasting it into shared logs or transcripts, and rotate it if you suspect exposure.
If the base URL override is set to an unintended endpoint, selected PDFs and the Bearer token could be sent somewhere other than the named provider.
The script allows the API destination to be overridden by an argument or environment variable, which could change where PDFs and the Authorization header are sent if intentionally or accidentally configured.
ap.add_argument("--base-url", default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL), help="Base URL override")Leave `SOLUTIONS_BASE_URL` and `--base-url` unset unless you deliberately trust the alternate endpoint; maintainers should consider documenting or domain-restricting this override.