Back to plugin

Security audit

Website Screenshot

Security checks across malware telemetry and agentic risk

Overview

The plugin’s code, instructions, and configuration consistently implement a screenshot-for-a-service integration (PDFAPIHub) that reasonably requires an API key and sends URLs to the external service; nothing in the package indicates unrelated credential access or hidden exfiltration.

This plugin sends the URLs you provide to pdfapihub.com for rendering and requires a PDFAPIHub API key. Before installing: verify you trust PDFAPIHub (privacy, retention, and security of any screenshots and rendered content), avoid sending pages with sensitive personal, medical, or credential-bearing content, store and provide the API key with least privilege and rotate it if compromised, confirm the plugin source (PdfApiHub repository/homepage) matches your expectations, and be aware screenshots are retained for ~30 days per the documentation. Also note the package metadata in the registry summary incorrectly claimed no required env vars — the plugin does require an API key as shown in openclaw.plugin.json and the code.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.