ClawHub
Back to skill

Security audit

Image to PDF

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it encourages sending sensitive images such as medical records and ID scans to a third-party PDF service without clear privacy, retention, or link-sharing disclosure.

Review before installing if you may process private or regulated images. Use it only when you are comfortable sending the source images, image URLs, API key, and generated PDFs to pdfapihub.com, and verify the provider's privacy, retention, deletion, compliance, and hosted-link access controls before using it for medical records, IDs, financial documents, insurance evidence, or internal business material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs users to provide image URLs, base64 images, or file uploads and to authenticate against a third-party API, but it does not clearly warn that those images and any linked resources are transmitted to an external service. This is dangerous because users may supply sensitive documents such as IDs, medical records, insurance evidence, or internal records without informed consent about off-platform data disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends user-supplied images to a third-party external service at https://pdfapihub.com/api for conversion, but the manifest does not include any user-facing disclosure about external upload, retention, or handling of potentially sensitive image contents. This creates a privacy and data-governance risk because users may unknowingly transmit personal, confidential, or regulated data off-platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal