Security audit
PDF Compress
Security checks across malware telemetry and agentic risk
Overview
This plugin's code and runtime instructions match its stated purpose (compressing PDFs via PDFAPIHub) and request only a single API key; the only notable mismatch is that the registry metadata omitted the required API key entry even though the plugin and SKILL.md expect it.
This plugin appears to do exactly what it says: send files to PDFAPIHub for compression and return results. Before installing, consider: (1) supply the API key only if you trust pdfapihub.com — files are uploaded to their servers and auto-deleted after 30 days; (2) verify the API key is stored in your OpenClaw plugin config or env var (PDFAPIHUB_API_KEY or plugin config.apiKey); (3) confirm the registry metadata omission (registry claimed no env vars) — treat that as a packaging error and prefer the plugin's openclaw.plugin.json which requires apiKey; (4) if you want to prevent autonomous calls, set disable-model-invocation to true or require explicit invocation; (5) review the source (index.ts) yourself if you need higher assurance — it only calls pdfapihub.com endpoints and does not access other system secrets.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
