pdfelement-skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears coherent for launching local PDFelement PDF workflows, but users should notice that it can auto-run local PDF operations and pass document passwords/file paths to the local tool.
Before installing, make sure you actually use PDFelement and install it from the official Wondershare site. Run the skill only on intended PDFs, save or close any existing PDFelement/PDFToolbox work, and do not share generated launch URLs or logs if they include private file paths or PDF passwords.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A requested PDF action may run automatically in the local PDFelement app, and an existing PDFToolbox window may be closed.
The skill intentionally launches local PDF workflows in auto-exec mode and may reset the existing PDFToolbox process. This is aligned with batch PDF automation, but a wrong file or command could have immediate local effects.
Every Windows PDFelement command must include `-wsclaw -autoexec -entrance OpenClaw` ... reset any existing `PDFToolbox` instance first: send `/nowexit` ... force-stop lingering `PDFToolbox` processes
Confirm the file paths and operation before launching, keep backups of important PDFs, and save or close PDFelement/PDFToolbox work first.
The skill may create an executable helper file locally before launching PDFelement.
The skill asks the agent to create and run a PowerShell helper from a markdown file. The helper source is included and purpose-aligned, but this packaging pattern is worth user awareness.
If `scripts\launch_wspet.ps1` is missing but `scripts\launch_wspet.ps1.md` exists, first copy `scripts\launch_wspet.ps1.md` to `scripts\launch_wspet.ps1` ... then use the restored `.ps1` helper.
Inspect the bundled helper if concerned, and install or update PDFelement only from the official Wondershare site.
Someone who can see copied terminal output or generated URLs might recover document paths and any supplied PDF password.
When a PDF password is supplied, it is embedded in the base64 launch payload, and the launch URI may be printed. Base64 is reversible, so generated command output should be treated as sensitive.
$escapedPassword = [System.Security.SecurityElement]::Escape($FilePassword) ... $base64FilesXml = [Convert]::ToBase64String(...) ... Write-Host "Launching: $uri"
Use the password option only when needed and avoid sharing generated wspet URLs, terminal output, or diagnostic logs.