Remove metadata from PDF
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts consistently implement PDF metadata removal through an external API, with expected but important privacy and API-key handling considerations.
Before installing or using this skill, confirm you are comfortable uploading the selected PDFs to the Solutions API, keep the API key private, verify that the base URL has not been overridden unexpectedly, and treat returned download links as sensitive.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
PDF contents and cleaned-output URLs may be exposed to the external service and anyone the URLs are shared with.
The documented workflow transfers user PDFs to an external provider and returns downloadable result links, which is central to the skill but important for privacy.
uploading them to the Solutions API ... returning download URL(s) for the cleaned file(s)
Use only with PDFs you are allowed to upload, verify the provider and endpoint, and treat returned download URLs as sensitive.
A leaked or over-privileged API key could allow unauthorized use of the user's Solutions API account.
The skill requires a bearer token for the intended API. The instruction not to echo or log it is appropriate, but users still grant service-account access.
The API requires an API key used as a Bearer token: - `Authorization: Bearer <API_KEY>` ... **Rule:** never echo or log the API key.
Use a revocable, least-privileged API key if available, provide it only through a secure secret channel, and rotate it if it may have been exposed.
If an unintended base URL is configured, selected PDFs and the API token could be sent to a different endpoint.
The script can override the API base URL via CLI or environment variable; because uploads include PDF files and the Authorization header, the destination should be trusted.
default=os.getenv("SOLUTIONS_BASE_URL", DEFAULT_BASE_URL),
help="Base URL override" ... resp = requests.post(url, headers=headers, files=files, timeout=timeout_s)Leave the base URL at the documented default unless intentionally testing a trusted endpoint; agents should confirm any override before uploading.
Future dependency resolution could install a newer package version than the author tested.
The helper script relies on an external Python package with a minimum version rather than an exact pinned version.
requests>=2.32.0
Install dependencies from trusted package indexes and consider pinning or locking versions in controlled environments.