Markdown Browser
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a benign post-processor for OpenClaw web_fetch results, with normal caution needed around untrusted webpage content and npm dependency installation.
This skill is reasonable to install if you are comfortable running Node/npm and the turndown dependency. Treat all processed webpage content as untrusted data, and verify the package source or registry settings before installing in a sensitive environment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A webpage processed by this skill could contain prompt-like instructions; the agent should treat the content as data, not as commands.
The skill is intended to place fetched webpage content into later agent processing. That is coherent with its purpose, but webpage text can contain untrusted instructions that should not override the user's goal.
Use the returned normalized object for downstream agent logic.
Use the policy_action output and keep normal web-content prompt-injection safeguards in place for any downstream reasoning.
Installing dependencies may rely on an external package mirror; the integrity hash helps, but users should still be comfortable with the dependency source.
The runtime dependency is locked with an integrity hash, which mitigates tampering, but the resolved source is a non-HTTPS third-party mirror rather than the default npm registry.
"resolved": "http://mirrors.tencentyun.com/npm/turndown/-/turndown-7.2.2.tgz", "integrity": "sha512-1F7db8BiExOKxjSMU2b7if62D/XOyQyZbPKq/nUwopfgnHlqXHqQ0lvfUTeUIr1lZJzOPFn43dODyMSIfvWRKQ=="
Install from a trusted registry, keep the lockfile intact, and verify dependency provenance if using this in a sensitive environment.