pdforge
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
bash -candcurlto perform API requests. This approach is explicitly documented within the skill to ensure thePDFORGE_API_KEYenvironment variable is correctly expanded when using piped commands. - [EXTERNAL_DOWNLOADS]: Downloads generated documents from
storage.googleapis.comusing temporary signed URLs. This is a standard and safe operation using a well-known cloud service provider. - [DATA_EXFILTRATION]: Sends user-supplied document data (HTML or template variables) to
api.pdfnoodle.com. This is the primary intended functionality of the skill and uses the official service endpoints. - [CREDENTIALS_UNSAFE]: References a secret variable
PDFORGE_API_KEYvia thevm0_secretsconfiguration. The skill provides clear instructions on how users should securely manage their API keys as environment variables rather than hardcoding them.
Audit Metadata