Back to skill
Skillv1.0.0
ClawScan security
Generate PDF from HTML · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 3:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared behavior, instructions, and required API usage are internally consistent: it is an instruction-only wrapper that sends HTML or a URL to a third‑party PDF generation API and does not request unrelated credentials or install anything.
- Guidance
- This skill forwards your HTML or a public URL to a third‑party service (pdfapihub.com) and requires an API key. Before installing, confirm you trust that service and its privacy/retention policy (the docs mention files are deleted after 30 days). Do not send sensitive secrets or personal data in HTML_content or dynamic_params unless you accept third‑party processing. Also check pricing, page limits, and whether you prefer a local renderer (headless Chromium) if you need to keep data on‑prem.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: SKILL.md and skill.json both describe sending HTML or a public URL to pdfapihub.com for rendering. The required functionality (an external PDF API and an API key) is appropriate for the stated purpose.
- Instruction Scope
- okRuntime instructions are narrowly scoped: they describe forming an HTTP POST to https://pdfapihub.com/api/v1/generatePdf with either html_content or url and an API key in the CLIENT-API-KEY header. The instructions do not ask the agent to read unrelated files, system config, or other environment variables.
- Install Mechanism
- okNo install spec or code is included (instruction-only). Nothing will be downloaded or written to disk by the skill itself, which lowers risk.
- Credentials
- okThe only auth artifact required by the skill is an API key for the external service (passed in the CLIENT-API-KEY header, and declared as apiKey in skill.json). The skill does not request unrelated secrets, environment variables, or config paths.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request system-wide privileges or modify other skills. Autonomous invocation is allowed (default) but that is expected for skills of this type.