ClawHub

Lock PDF

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PDF-locking API wrapper, but users should understand that PDFs and passwords are sent to pdfapihub.com.

Install only if you are comfortable sending the PDF, protection passwords, and API key to pdfapihub.com for processing. The provider's public privacy policy says submitted PDFs are processed temporarily and URL outputs may be stored for up to 24 hours, but verify the provider's privacy, retention, deletion, and compliance posture before using regulated, legal, financial, medical, or highly confidential documents. ([pdfapihub.com](https://pdfapihub.com/privacy))

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs users to send PDFs, passwords, and an API key to a third-party service, but it does not clearly warn that sensitive document contents and secrets leave the local environment. This can mislead users into submitting confidential files or credentials without informed consent, creating privacy, compliance, and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manifest sends highly sensitive material—PDF contents plus passwords, owner passwords, and possible input decryption passwords—to a third-party remote API at pdfapihub.com, but the skill description provides no user-facing disclosure, consent, or data-handling warning. In this context, the omission is dangerous because users may reasonably assume local processing for document encryption and may unknowingly expose confidential documents and secrets to an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal