Skip to content

Security: Straits-AI/pdf-skill

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Please report security vulnerabilities privately via GitHub Security Advisories rather than public issues. We aim to acknowledge reports within a few business days.

Issues we consider security-relevant include:

  • Password or secret values leaking into results, manifests, logs, error details, or child-process error surfaces.
  • Redaction or sanitization operations that leave the "removed" content recoverable while reporting success.
  • Command injection through filenames, template values, or other user-controlled input reaching child processes.
  • Crafted PDF inputs causing unbounded resource consumption or arbitrary code execution.

Security model

  • All processing is local; no document content leaves the machine.
  • Passwords are accepted via --password-env / PDF_PASSWORD (preferred) or --password, are scrubbed from every error surface, and never appear in operation results.
  • The toolkit never attempts password cracking or permission bypass — decryption requires valid credentials.
  • Overlays (watermarks, shapes, whiteout) are explicitly documented as not redaction; the underlying content remains extractable and the tool says so.
  • External binaries (qpdf, poppler, ghostscript) are invoked without a shell (execFile), with arguments passed as arrays.

Supported versions

Only the latest release on main receives security fixes.

There aren't any published security advisories