Security audit
Document to PDF
Security checks across malware telemetry and agentic risk
Overview
The skill's code, instructions, and required API key are consistent with a document-to-PDF conversion service that uploads files to PDFAPIHub; nothing requested is disproportionate to that purpose.
This plugin sends documents to pdfapihub.com and requires an API key — that behavior matches its purpose but means your files are transmitted to a third party. Before installing: (1) Confirm you trust PDFAPIHub and review their privacy/retention policy (SKILL.md claims a 30-day auto-delete). (2) Use a limited/test API key and avoid sending sensitive documents until you've validated behavior. (3) Avoid passing internal URLs (the service may fetch them, creating SSRF/data-leak risk). (4) Note a minor implementation quirk: the code uses a common conversion endpoint for multiple tools (likely a harmless bug) — expect to test conversions to ensure correct handling of PPT/Excel formats. If any of these concerns are unacceptable, prefer a local converter that does not upload files to an external service.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
