Pdfco
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate PDF.co/Membrane integration, but it requires installing a CLI and authenticating so the agent can work with PDF.co data.
Before installing, make sure you trust the Membrane CLI package, are comfortable authenticating a Membrane/PDF.co connection, and only process PDFs that may be sent to those services. Review any destructive or security-related PDF actions before allowing the agent to run them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could perform PDF transformations or security-related actions on user-selected PDF.co data if asked or if the workflow permits it.
The skill exposes broad PDF.co actions, including document mutation and security-related operations. This is aligned with a PDF.co integration, but users should ensure such actions are explicitly intended.
Use action names and parameters as needed. ... Delete Pages From PDF ... Decrypt PDF ... Remove PDF Security ... Sign PDF
Confirm destructive or security-sensitive PDF actions, review input/output files, and avoid using this skill on documents you do not want processed by PDF.co.
A connected Membrane/PDF.co account may allow the agent to view or modify PDF.co resources according to the granted permissions.
The integration relies on delegated account access and ongoing credential refresh through Membrane. This is expected for the stated purpose, but it grants the agent usable access to the connected PDF.co account.
Requires network access and a valid Membrane account ... Membrane handles authentication and credentials refresh automatically
Connect only the intended account, review granted scopes or permissions where available, and revoke the connection when it is no longer needed.
Installing the CLI changes the local environment and the exact installed code can change over time when using latest.
The setup asks the user to install a globally available CLI from npm using the moving latest tag. This is user-directed and central to the integration, but it relies on external package provenance and future package updates.
npm install -g @membranehq/cli@latest
Verify the package source, consider pinning a specific version, and install in a controlled environment if handling sensitive documents.
PDF content or extracted data may be handled by PDF.co and Membrane as part of the requested operation.
The workflow involves a third-party integration layer and a SaaS provider processing PDF-related data. This is disclosed and purpose-aligned, but PDF documents and extracted data can be sensitive.
This skill uses the Membrane CLI to interact with PDF.co ... PDF.co is a SaaS platform ... data extraction
Use this skill only with documents you are allowed to send to those services, and check PDF.co and Membrane privacy/security terms for sensitive or regulated data.