Security audit
PDF Toolkit
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, SKILL.md, and manifest consistently implement a PDF toolkit that sends files to PDFAPIHub and requires an API key — this behavior matches the stated purpose, but you should be aware files are uploaded to a third-party service and retained for 30 days.
This plugin sends any files you process to a third‑party service (pdfapihub.com) and stores them for up to 30 days — do not upload highly sensitive data unless you trust PDFAPIHub and its retention/processing policy. Provide only the PDFAPIHUB_API_KEY (or set config.apiKey) as required; do not reuse high‑privilege or unrelated credentials. Confirm the plugin source (https://pdfapihub.com and the GitHub repo claimed) and, if concerned, test with non-sensitive sample files first. If you want lower risk, avoid uploading private documents or disable the plugin's autonomous invocation in agent settings before using.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
