ClawHub
Back to skill

Security audit

PDF to Excel

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PDF-to-Excel API wrapper, but uploaded PDFs or PDF URLs are sent to pdfapihub.com for processing.

Install only if you are comfortable sending selected PDFs or PDF URLs to pdfapihub.com using that provider's API key. Avoid confidential, regulated, financial, legal, or tax documents unless the provider's privacy, retention, and security terms are acceptable for your use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill sends user-supplied document URLs and an API credential to an external third-party service, creating a real data exposure boundary that is not clearly disclosed by the local-sounding skill description. If users provide sensitive PDFs, their contents and access metadata may be transmitted to and processed by an external vendor, which can violate user expectations, privacy requirements, or data-handling policies.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to submit a PDF via URL, base64 content, or multipart upload to an external API service, but it does not clearly warn that the PDF contents will leave the local environment and be processed by a third party. Because PDFs often contain invoices, financial statements, tax documents, or other sensitive data, this omission can cause users to disclose confidential information without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest clearly sends either a public PDF URL or base64-encoded PDF content to a third-party service at https://pdfapihub.com/api, but it does not disclose to the user that document contents leave the local environment. Because PDFs often contain sensitive business, personal, or regulated data, this omission can lead to unintended external disclosure and compliance/privacy violations even if the API behaves as designed.

External Transmission

Medium
Category
Data Exfiltration
Content
## Example Usage
```bash
curl -X POST https://pdfapihub.com/api/v1/convert/pdf/xlsx \
  -H "CLIENT-API-KEY: your_api_key" \
  -H "Content-Type: application/json" \
  -d '{ "url": "https://pdfapihub.com/sample-pdfinvoice-with-image.pdf", "output": "url" }'
Confidence
94% confidence
Finding
curl -X POST https://pdfapihub.com/api/v1/convert/pdf/xlsx \ -H "CLIENT-API-KEY: your_api_key" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal