Is ai-pdf-builder safe?

https://clawhub.ai/NextFrontierBuilds/ai-pdf-builder

74
CAUTION

ai-pdf-builder is a legitimate PDF generation skill with no overtly malicious behavior detected during monitoring. However, it carries structural risks: its reliance on npx for code execution means every invocation runs unaudited code from npm, and it instructs users to expose their Anthropic API key as an environment variable accessible to the npm package and its entire dependency tree. The skill also directs agent behavior to run shell commands and suggests elevated-privilege installations.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH Unpinned npx execution from npm -25

The skill's core functionality relies on 'npx ai-pdf-builder' which downloads and executes code from npm on every invocation. The npm package is not vendored or hash-pinned in the skill, meaning the executed code can change without any skill version update. This is a supply-chain risk — a compromised npm account or dependency could deliver malicious code.

HIGH API key exposure via environment variable -20

The skill instructs users to set ANTHROPIC_API_KEY as a shell environment variable. Any process invoked via npx inherits all environment variables, giving the npm package (and its entire dependency tree) access to the API key. The package could silently exfiltrate this key.

MEDIUM Agent behavior manipulation via instruction block -15

The 'Agent Instructions' section directs the AI agent to execute a 9-step workflow including running shell commands (which pandoc), providing system installation instructions (brew install, apt-get install), and making decisions about user content. This expands the skill's effective scope beyond document generation.

MEDIUM Elevated privilege installation commands -10

The skill instructs users to run sudo commands for LaTeX installation, which could mask privilege escalation if the instructions were modified to include malicious packages.

MEDIUM Future cloud API data routing -10

The skill references a 'Cloud API (Coming Soon)' at ai-pdf-builder.com, indicating that document content may be routed through the author's infrastructure in future versions. Users generating legal documents (NDAs, SAFEs, term sheets) would be sending sensitive business data to a third-party server.

LOW Sensitive file access during gateway initialization -5

Filesystem monitoring captured reads of .env, .aws/credentials, .profile, .bashrc, and OpenClaw configuration files during the install phase. While these appear to be from the OpenClaw gateway process rather than the skill itself, they demonstrate the broad file access available in the execution environment.

LOW Broad keyword stuffing in metadata -10

The skill's keywords list includes generic terms (ai, llm, cursor, claude, claude-code, gpt, copilot, vibe-coding, mcp, agentic, coding-agent) that are not directly relevant to PDF generation, suggesting SEO/discovery optimization that could increase the skill's attack surface by appearing in more search results.

INFO Version mismatch between SKILL.md and README -5

SKILL.md references version 1.2.3 and features from v1.1.0, while README.md references [email protected]. This inconsistency suggests the README may be outdated or the skill wrapper version diverges from the underlying npm package version.