Back to plugin

Security audit

HTML to Image

Security checks across malware telemetry and agentic risk

Overview

The skill's code, instructions, and required credential (an API key) are coherent with its stated purpose of converting HTML/URLs to images via the PDFAPIHub service; there are minor config-name inconsistencies but nothing that suggests malicious behavior.

This skill appears to be what it says: it sends HTML, URLs, and images to PDFAPIHub to render or compress them and requires a PDFAPIHub API key configured in the plugin. Before installing, consider: 1) Don't send private secrets or sensitive HTML/URLs you don't want transmitted to a third party. 2) Confirm which config key your gateway expects (openclaw.plugin.json uses 'apiKey'; SKILL.md references PDFAPIHUB_API_KEY) and set the plugin config accordingly. 3) Review PDFAPIHub's privacy, retention, and billing policies (https://pdfapihub.com/docs) if you will upload private data. 4) Revoke the API key if you stop using the skill. If you want extra assurance, review the plugin repository on GitHub (https://github.com/PdfApiHub/openclaw-html-to-image) and monitor network requests in your environment the first time you use it.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.