Back to plugin

Security audit

Document to PDF

Security checks across malware telemetry and agentic risk

Overview

The skill's code, instructions, and required API key are consistent with a document-to-PDF conversion service that uploads files to PDFAPIHub; nothing requested is disproportionate to that purpose.

This plugin sends documents to pdfapihub.com and requires an API key — that behavior matches its purpose but means your files are transmitted to a third party. Before installing: (1) Confirm you trust PDFAPIHub and review their privacy/retention policy (SKILL.md claims a 30-day auto-delete). (2) Use a limited/test API key and avoid sending sensitive documents until you've validated behavior. (3) Avoid passing internal URLs (the service may fetch them, creating SSRF/data-leak risk). (4) Note a minor implementation quirk: the code uses a common conversion endpoint for multiple tools (likely a harmless bug) — expect to test conversions to ensure correct handling of PPT/Excel formats. If any of these concerns are unacceptable, prefer a local converter that does not upload files to an external service.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.