ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Markdown Sync Pro

v1.0.0

Markdown 一键同步到 Notion、GitHub Wiki、Medium 等平台

0· 272·1 current·1 all-time
byantonia huang@antonia-sz

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for antonia-sz/markdown-sync-pro.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Markdown Sync Pro" (antonia-sz/markdown-sync-pro) from ClawHub.
Skill page: https://clawhub.ai/antonia-sz/markdown-sync-pro
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install antonia-sz/markdown-sync-pro

ClawHub CLI

Package manager switcher

npx clawhub@latest install markdown-sync-pro
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to publish Markdown to Notion, GitHub Wiki, Medium and local HTML — that purpose justifies requiring service tokens. However the registry metadata lists no required environment variables or primary credential, while SKILL.md and README instruct users to export GITHUB_TOKEN, NOTION_TOKEN, MEDIUM_TOKEN and NOTION_PARENT_PAGE. skill.yaml lists an entry point (bin/publish) but no code or binary is included. These inconsistencies suggest the package is incomplete or misdeclared.
!
Instruction Scope
Runtime instructions ask the agent/user to run a /publish command and to set service tokens. They also say images will be 'auto-uploaded to an image host' but do not specify which host or what credentials/endpoint are used — that implies uploading data to an unspecified external endpoint (possible data exfiltration). The instructions otherwise stay within the stated task and do not ask for unrelated system data, but the unspecified upload target and missing implementation details are a concern.
Install Mechanism
There is no install spec (instruction-only) which is lower risk, but README and skill.yaml reference a local ./bin/publish executable and a GitHub repo clone. The package lacks any code files or binaries, so either the skill is incomplete (missing artifacts) or expects the user/agent to fetch external code at runtime — both are noteworthy. Lack of an explicit, verifiable install source increases risk.
!
Credentials
Although the registry claims no required env vars, the SKILL.md explicitly requires GITHUB_TOKEN, NOTION_TOKEN, NOTION_PARENT_PAGE, and MEDIUM_TOKEN for functionality. Those are legitimate for the stated platforms but should have been declared. Requesting multiple service tokens is proportionate to multi-platform publishing, but the absence of a declared primary credential and no guidance on minimal scopes (e.g., repo/wiki-only tokens, publish-only scopes) is a red flag.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide config changes. Because it's instruction-only with no install spec, it does not appear to demand persistent elevated presence in the agent beyond normal invocation.
Scan Findings in Context
[no-code-files] unexpected: The regex scanner found no code to analyze. For an instruction-only skill this can be normal, but skill.yaml and README reference an executable entry (bin/publish) and a GitHub repo; the lack of any code/binary in the package is unexpected and should be clarified.
What to consider before installing
This package has mismatches you should resolve before installing. Ask the author for the source repository or the missing bin/publish implementation and verify the code before supplying any API tokens. If you do test it, create minimal-scope tokens (e.g., repo/wiki-only, publish-only scopes), avoid using long-lived primary credentials, and try --dry-run first. Clarify where images are uploaded (which image host/endpoint) and inspect that upload code or network behavior. If the maintainer cannot provide verifiable source or the binary, do not set your real service tokens in your environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dhe8emfxw0nb6e87pkfwr3s82pyqz
272downloads
0stars
1versions
Updated 13h ago
v1.0.0
MIT-0
antonia huang@antonia-sz
latest
Download

Markdown Sync Pro — 多平台内容同步工具

一键将 Markdown 内容同步发布到多个平台。

支持的平台

平台状态说明
GitHub Wiki发布到仓库 Wiki
Notion📝创建 Notion 页面
Medium📝发布文章(需要 API Token)
本地 HTML导出为 HTML 文件

使用方法

基本用法

/publish article.md --to github --repo owner/repo

发布到多个平台

/publish article.md --to github,notion,medium

预览转换结果

/publish article.md --dry-run

平台配置

GitHub Wiki

export GITHUB_TOKEN=your_github_token
/publish article.md --to github --repo username/repo

Notion

export NOTION_TOKEN=secret_xxx
export NOTION_PARENT_PAGE=page_id
/publish article.md --to notion

Medium

export MEDIUM_TOKEN=your_medium_token
/publish article.md --to medium

Markdown 转换支持

  • ✅ 标准 Markdown 语法
  • ✅ 代码块高亮
  • ✅ 表格
  • ✅ 图片(自动上传图床)
  • ✅ Frontmatter 元数据

示例

# 发布到 GitHub Wiki
/publish docs/guide.md --to github --repo myorg/project

# 发布到 Notion 并设置标题
/publish blog/post.md --to notion --title "我的文章"

# 导出为 HTML
/publish article.md --to html --output ./dist/

Comments

Loading comments...