PDF Toolkit handles mixed PDF workflows with a flexible toolset for page organization, basic editing, viewing, and general document processing, built on ComP...
Security Analysis
high confidenceThe skill's requirements and instructions are internally consistent with a cloud-based PDF processing helper that uses the ComPDF REST API; nothing requested is disproportionate to that purpose.
The skill claims to process PDFs via the ComPDF Cloud API and all declared behavior (asking for an API key, uploading files to compdf endpoints, selecting executeTypeUrl values) matches that purpose. There are no unrelated binaries, credentials, or config paths requested.
SKILL.md stays on-topic and explicitly requires user confirmation before uploading files to external servers, which reduces risk. It instructs the agent to check and optionally write a local file (config/public_key.txt) for storing the API key; this is within scope but introduces persistent local storage and the instructions do not mention secure storage or file permissions.
This is an instruction-only skill with no install spec and no code files to be written or executed. That is the lowest-risk install model and is proportionate to an API-integration helper.
The skill does not require environment variables or unrelated credentials, which is appropriate. It does request an API key from the user and offers to save it to config/public_key.txt; persisting an API key locally is reasonable but the SKILL.md does not advise encrypting the key or restricting file permissions, which users should consider.
The skill is not flagged as always: true and does not request system-wide privileges. The only persistent action described is optionally writing a single API key file under config/, which is a limited scope and reasonable for this functionality.
Guidance
This skill appears to do what it says: it uploads user files to ComPDF for processing and uses a user-provided API key. Before installing or using it: (1) Be prepared to confirm each upload — do not send highly sensitive or confidential documents to the external service. (2) Prefer giving a session-only API key (decline to save) unless you trust the environment. If you do save the key, delete or rotate it when no longer needed and consider storing it with restricted file permissions or encrypted storage. (3) Verify you want files sent to the specified domains (api-server.compdf.com / api-server.compdf.cn) and review ComPDF's privacy policy. (4) If you operate under organizational data controls, check egress/network policy and coordinate with IT before using this skill.
Latest Release
v1.1.0
- Expanded skill description to clarify multi-step, mixed-operation PDF workflows and new trigger phrases such as "pdf toolkit," "all-in-one pdf," and "multiple pdf operations." - Updated usage examples to reflect broader, end-to-end PDF processing scenarios (e.g., merging, rotating, and organizing PDFs in a single request). - No functional or file changes; documentation now better communicates the use case for handling complex PDF workflows with a single toolset.
Popular Skills
Published by @compdf-youna on ClawHub
