Security audit
HTML to Image
Security checks across malware telemetry and agentic risk
Overview
The skill's code, instructions, and required credential (an API key) are coherent with its stated purpose of converting HTML/URLs to images via the PDFAPIHub service; there are minor config-name inconsistencies but nothing that suggests malicious behavior.
This skill appears to be what it says: it sends HTML, URLs, and images to PDFAPIHub to render or compress them and requires a PDFAPIHub API key configured in the plugin. Before installing, consider: 1) Don't send private secrets or sensitive HTML/URLs you don't want transmitted to a third party. 2) Confirm which config key your gateway expects (openclaw.plugin.json uses 'apiKey'; SKILL.md references PDFAPIHUB_API_KEY) and set the plugin config accordingly. 3) Review PDFAPIHub's privacy, retention, and billing policies (https://pdfapihub.com/docs) if you will upload private data. 4) Revoke the API key if you stop using the skill. If you want extra assurance, review the plugin repository on GitHub (https://github.com/PdfApiHub/openclaw-html-to-image) and monitor network requests in your environment the first time you use it.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
