Back to plugin

Security audit

URL to PDF

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, instructions, and requested credential (a single PDFAPIHub API key) align with its stated purpose of converting URLs to PDFs, taking screenshots, and returning rendered HTML; the main user risk is privacy (pages are uploaded to a third-party service).

This plugin appears to do what it says: it sends the URL and render instructions to PDFAPIHub (https://pdfapihub.com) and returns a PDF/image/HTML. Before installing: (1) Confirm the plugin source (the repo URL and author look consistent) and that you trust pdfapihub.com. (2) Do not send pages with secrets, credentials, or other sensitive data — those pages will be uploaded to a third party. (3) Verify where you store the API key (SKILL.md recommends ~/.openclaw/openclaw.json) and limit that key's permissions if possible. (4) Note the minor metadata inconsistency (registry summary vs plugin manifest) and confirm the plugin will be configured with an API key as described. If you need to handle private/internal pages, consider self-hosted or on-prem alternatives or confirm PDFAPIHub's privacy/retention policy.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.