ClawHub

Split PDF

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate PDF-splitting API wrapper, but the PDFs or PDF URLs you provide are sent to pdfapihub.com and outputs may be hosted there.

Install only if you are comfortable sending the PDFs or public PDF URLs you choose to process to pdfapihub.com. Avoid confidential, regulated, or proprietary documents unless you have reviewed and approved the provider's privacy, retention, deletion, and access-control practices, and use a limited API key where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The example sends the source PDF to a third-party API and returns externally hosted output URLs, which is materially different from a local-only 'split a single PDF' expectation. This can expose sensitive document contents and metadata to an external processor and CDN without the privacy/data-handling implications being made explicit in the skill description.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill requires network transmission of user-supplied PDFs to an external service and stores results on third-party infrastructure, but that dependency is not justified or contextualized by the stated purpose alone. In a document-processing context, this increases confidentiality and compliance risk because users may assume files are handled locally unless remote processing is clearly disclosed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs users to send either a PDF URL or the PDF contents to pdfapihub.com, but it does not clearly disclose in the skill description or warnings that user documents are transmitted to a third-party external service. This creates a real privacy and data-handling risk because users may upload sensitive PDFs under the assumption processing is local or platform-native.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal