Back to skill
Skillv1.0.0
ClawScan security
PDF to Text · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 4:47 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent — it forwards PDFs to pdfapihub.com's API to extract text and requires an API key — but it sends document contents to a third-party service (no homepage or publisher info is provided), so verify privacy/trust before using.
- Guidance
- This skill simply sends PDFs (or PDF URLs) to pdfapihub.com to obtain extracted text and requires you to provide an API key in the CLIENT-API-KEY header. Before installing or using: 1) Verify the reputation and privacy policy of pdfapihub.com (no homepage/publisher info is provided in the package). 2) Do not send sensitive or confidential PDFs to this service unless you trust its data-handling and retention policies. 3) Provide the API key securely (avoid pasting it into public chat history or code repositories). 4) If you need offline/local processing for sensitive documents, use a local PDF-to-text tool instead. 5) Confirm billing, rate limits, and where converted outputs are hosted (the example shows a CDN URL) so you understand where your data may reside.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, example.json, and skill.json all align: the skill calls an external PDF-to-text API (pdfapihub.com) and accepts a URL, base64 file, or multipart upload. Required inputs and output options match the stated purpose.
- Instruction Scope
- noteInstructions are narrow and consistent with conversion: POST to https://pdfapihub.com/api/v1/convert/pdf/txt with CLIENT-API-KEY and payload. However, using the skill will transmit full PDF contents (or a public PDF URL) to a third-party service — this is expected for a cloud conversion API but is a privacy/exfiltration risk for sensitive documents and should be considered before use.
- Install Mechanism
- okInstruction-only skill with no install spec or code files — nothing is written to disk or downloaded by the skill itself. Low install risk.
- Credentials
- noteThe skill does not declare or require environment variables, but it requires an API key supplied in the CLIENT-API-KEY header. That is proportionate for a third-party API, but the skill provides no mechanism for securely storing or retrieving that key; the user must manage it outside the skill.
- Persistence & Privilege
- okalways is false, the skill is user-invocable and not forced into every agent run. It does not request system config paths or modify other skills. Autonomous invocation is allowed (platform default) and is not by itself a concern here.