Back to skill
Skillv1.0.1
ClawScan security
Document to PDF · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 3:10 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (upload documents to PDFAPIHub and return PDFs) matches its instructions and files; the only notable mismatch is that the registry metadata does not declare the API key requirement even though SKILL.md/skill.json require a CLIENT-API-KEY header.
- Guidance
- This skill appears to do what it claims: it uploads documents to PDFAPIHub and returns a PDF. Before installing or using it: (1) confirm how you will supply the CLIENT-API-KEY (the registry metadata did not declare an env var — the agent will need the key at runtime or stored by the platform); (2) do not send confidential or sensitive documents unless you trust pdfapihub.com's security and retention policy (SKILL.md says files are auto-deleted after 30 days); (3) store API keys securely and check how the platform persists keys/inputs; (4) if you must convert sensitive files, prefer an on-device or internal conversion tool instead of a third-party cloud API.
Review Dimensions
- Purpose & Capability
- okName/description say: convert office docs to PDF via PDFAPIHub. SKILL.md and skill.json describe exactly that API (https://pdfapihub.com/api) and accepted input/output formats. There are no unrelated credentials, binaries, or install steps demanded by the skill.
- Instruction Scope
- okRuntime instructions are narrowly scoped to uploading a document (URL, base64, or multipart) to PDFAPIHub and retrieving the converted PDF. The document upload and API endpoint are explicit; the skill does not instruct the agent to read local system files, other credentials, or send data to unexpected endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by the skill itself, which is the lowest-risk install model.
- Credentials
- noteSKILL.md and skill.json require an API key presented in the CLIENT-API-KEY header. However registry metadata lists no required environment variables or primary credential — this is an inconsistency: the skill needs an API key at runtime but does not declare a platform-level required env var. Apart from that, no other unrelated secrets or env access are requested.
- Persistence & Privilege
- okalways:false (default), user-invocable and agent-autonomous invocation allowed (platform default). The skill does not request persistent system-wide modifications or cross-skill configuration changes.