Back to skill
Skillv1.0.0
VirusTotal security
Markdown Browser · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:31 AM
- Hash
- 2c5672b625c56d19e2285255bbfea485db1bed7ab1c76319209383a54e938fc7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: markdown-browser Version: 1.0.0 The skill bundle is classified as suspicious due to a supply chain vulnerability identified in `package-lock.json`. Dependencies `turndown` and `@mixmark-io/domino` are resolved from `http://mirrors.tencentyun.com/npm/` instead of the official npm registry. While the provided code in `browser.js` appears benign and implements stated privacy and content normalization features (e.g., URL redaction), relying on a non-standard, potentially untrusted mirror introduces a significant risk of malicious package injection if the mirror is compromised or controlled by an attacker. There is no evidence of direct malicious intent in the skill's own code or prompt injection attempts in `SKILL.md` or `README.md`.
- External report
- View on VirusTotal