Security audit
Website Screenshot
Security checks across malware telemetry and agentic risk
Overview
The plugin’s code, instructions, and configuration consistently implement a screenshot-for-a-service integration (PDFAPIHub) that reasonably requires an API key and sends URLs to the external service; nothing in the package indicates unrelated credential access or hidden exfiltration.
This plugin sends the URLs you provide to pdfapihub.com for rendering and requires a PDFAPIHub API key. Before installing: verify you trust PDFAPIHub (privacy, retention, and security of any screenshots and rendered content), avoid sending pages with sensitive personal, medical, or credential-bearing content, store and provide the API key with least privilege and rotate it if compromised, confirm the plugin source (PdfApiHub repository/homepage) matches your expectations, and be aware screenshots are retained for ~30 days per the documentation. Also note the package metadata in the registry summary incorrectly claimed no required env vars — the plugin does require an API key as shown in openclaw.plugin.json and the code.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
