Pdf Apiio

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PDF-API.io helper that uses Membrane for authenticated PDF operations, with normal third-party document-processing risks users should understand.

Install only if you trust Membrane and PDF-API.io with the documents you plan to process. Before running uploads, redactions, conversions, password removal, deletes, or proxy requests, ask the agent to show the endpoint, method, parameters, and files or text that will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is broad enough to trigger on generic requests to 'manage data, records, and automate workflows,' which can cause the agent to invoke this integration in situations where the user did not clearly intend to send content to PDF-API.io. In this context, over-broad activation increases the chance of unnecessary external data exposure and unintended third-party actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explains how to connect and use the external PDF service but does not clearly warn that files, document contents, and metadata may be transmitted to PDF-API.io through Membrane. Because this skill handles potentially sensitive documents, the lack of an explicit disclosure can lead users to unknowingly expose confidential information to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal