Remove metadata from PDF

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it sends selected PDFs to a named external service, so only use it with documents you are allowed to upload.

Install only if you are comfortable sending the selected PDFs and their contents to Cross-Service-Solutions for processing. Avoid confidential or regulated documents unless that provider's privacy, retention, and access controls meet your requirements, keep the API key private, and verify the upload URL before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly instructs users to upload PDF files to a third-party API but does not clearly disclose the privacy and data-handling implications of sending document contents and metadata off-system. This can mislead users into transmitting sensitive PDFs to an external service without informed consent, creating confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill processes user PDFs by uploading them to an external third-party service, but the user-facing description does not clearly warn that documents leave the local environment. This can cause unintentional disclosure of sensitive document contents and metadata to an external processor, especially when users assume sanitization happens locally.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script uploads local PDF files to a third-party remote API for processing, but the user-facing interface and behavior do not prominently warn that full document contents are transmitted off-host. Because PDFs often contain sensitive business, legal, financial, or personal data, this can cause unintended data exfiltration even if the feature is working as designed.

External Transmission

Medium

Category: Data Exfiltration
Content: ## How it works 1) Upload PDFs to: `POST https://api.xss-cross-service-solutions.com/solutions/solutions/api/40` 2) Poll: `GET https://api.xss-cross-service-solutions.com/solutions/solutions/api/<job_id>` 3) Return `output.files[].path` as download URL(s)
Confidence: 88% confidence
Finding: https://api.xss-cross-service-solutions.com/

External Transmission

Medium

Category: Data Exfiltration
Content: 1) Upload PDFs to: `POST https://api.xss-cross-service-solutions.com/solutions/solutions/api/40` 2) Poll: `GET https://api.xss-cross-service-solutions.com/solutions/solutions/api/<job_id>` 3) Return `output.files[].path` as download URL(s) ## Script (CLI)
Confidence: 84% confidence
Finding: https://api.xss-cross-service-solutions.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal