Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pandoc Convert
v0.1.0Convert documents between 40+ formats using pandoc CLI. Handles Markdown ↔ Word ↔ PDF ↔ HTML ↔ LaTeX ↔ EPUB with smart defaults, professional templates, and comprehensive tooling.
⭐ 1· 1.8k·9 current·9 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (document conversion using pandoc and optional Python helpers) is reasonable and coherent for a 'Pandoc Convert' skill. However, the skill metadata declares no required binaries while SKILL.md explicitly lists prerequisites (pandoc, Python 3.8+, LaTeX, wkhtmltopdf, etc.). SKILL.md also claims many repository files (scripts/, templates/, INSTALL.md) that are not present in the package manifest. This mismatch weakens trust in the package's claims.
Instruction Scope
The runtime instructions tell the agent to run local scripts (python scripts/convert.py, ./scripts/batch_convert.sh, ./scripts/validate.sh) and to consult local docs/templates (INSTALL.md, templates/, references/). Since the skill bundle contains only SKILL.md and no scripts or templates, following these instructions would either fail or cause the agent to attempt to fetch/execute missing resources. The instructions do not ask for unrelated credentials or system-wide access, but they assume local files that aren't present.
Install Mechanism
There is no install spec (instruction-only skill), which is low-risk in that nothing is written to disk by an installer. However, SKILL.md references an INSTALL.md and many scripts that imply an installation step; their absence is an inconsistency. Because there is no declared install or source repository, it's unclear how the referenced scripts/templates are meant to be provided.
Credentials
The skill does not request environment variables, credentials, or config paths in the registry metadata. SKILL.md likewise does not instruct the agent to read secrets or unrelated environment variables. This is proportionate to the described functionality (local document conversion).
Persistence & Privilege
The skill does not request always:true and uses default autonomy settings. It does not request system-wide config changes in the provided instructions. There is no evidence of privileged persistence.
Scan Findings in Context
[NO_CODE_FILES_PRESENT] unexpected: The regex-based scanner found no code files to analyze. That is inconsistent with SKILL.md, which describes scripts/convert.py, batch_convert.sh, validate.sh, templates/, INSTALL.md, and many docs. For a skill that instructs running local scripts, the absence of those files is unexpected and reduces trust.
What to consider before installing
Do not install or enable this skill yet. Ask the publisher for the source repository or a complete package so you can inspect the scripts and templates SKILL.md references. Verify that pandoc and Python are actually required and that scripts exist under scripts/. If you plan to let an agent run commands, ensure the repository is trustworthy and that required binaries (pandoc, Python, LaTeX, etc.) are explicitly declared. If the skill will fetch code at runtime, request an explicit and auditable install mechanism (official release URL or package) and review it before allowing execution. Because the current bundle only contains documentation that describes missing files, treat it as incomplete/untrustworthy until those inconsistencies are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk978hz6c3r70nvmchv4b1pxmn980s0rb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.