Url Images To Pdf
从URL提取图片并生成PDF(保持原文顺序,不排序)
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 272 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to extract images from arbitrary webpage URLs, but the implementation only looks for mmbiz/WeChat-style image URLs (regexes target mmbiz.qpic.cn and mmbiz.* patterns). That mismatch means it may fail on non-WeChat pages despite its general description.
Instruction Scope
SKILL.md instructs only to have Node.js and pdfkit, but the script calls curl via execSync to fetch the page. The README does not declare curl as a dependency. More importantly, execSync is used with a command string incorporating the user-supplied URL: execSync(`curl -sL -A "Mozilla/5.0" "${url}"`, …). Because this is executed via the shell, a maliciously crafted URL could be used for shell/command injection. The script also writes to /tmp and the current working directory (expected) and downloads remote images (expected).
Install Mechanism
There is no install spec and no external downloads in install-time metadata; the skill is instruction + a local JS file. That is lower risk than arbitrary remote installers.
Credentials
The skill requests no environment variables or credentials and does not access any system credentials or config paths beyond writing temporary files to /tmp and the output PDF to the current directory.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system-wide changes, and does not modify other skills' configurations.
What to consider before installing
This script is functionally coherent but has two actionable issues to consider before installing or running it: (1) It is narrowly targeted to WeChat (mmbiz) image URLs even though the doc claims general webpage support — expect it to miss images on many sites. (2) Command-injection risk: the code uses execSync with a shell string that includes the raw URL. If you or the agent will pass URLs you don't control, don't run it as-is. Suggested mitigations: replace the curl execSync call with a safe HTTP fetch implemented in Node (https/http or node-fetch/axios) or call curl via execFile/child_process.spawn with arguments (not via a single shell string), validate and strictly sanitize the URL (allow only https URLs and reject characters like backticks, $(), semicolons), and declare curl as a dependency in SKILL.md if you keep it. Also consider expanding or making the image-extraction regexes configurable if you expect non-mmbiz pages. Finally, test the script in an isolated environment (sandbox) before running on sensitive hosts.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.2
Download zipextractionimageslatestpdf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
URL图片转PDF技能
功能
从网页URL提取图片并生成PDF文件
前置要求
- Node.js 已安装
- pdfkit 已安装:
npm install -g pdfkit
方式## 使用方法1: 命令行
# 安装依赖
npm install -g pdfkit
# 运行脚本
node ~/.openclaw/workspace/skills/url-images-to-pdf/extract.js <URL> [输出文件名]
方式2: 在OpenClaw中调用
直接运行:
node ~/.openclaw/workspace/skills/url-images-to-pdf/extract.js "https://example.com/article"
输出
- PDF文件保存在当前目录或指定目录
- 自动从网页提取PNG/JPG图片
依赖安装
npm install -g pdfkit
示例
提取微信文章图片并生成PDF:
node ~/.openclaw/workspace/skills/url-images-to-pdf/extract.js "https://mp.weixin.qq.com/s/XXXX"
注意事项
- 需要网络访问权限
- 某些网站可能有反爬措施
- 建议先提取图片,确认数量后再生成PDF
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…