md-2-pdf

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears to do what it claims: run a local Markdown-to-PDF converter using ReportLab, with no evidence of credential use, exfiltration, persistence, or hidden behavior.

This looks like a normal local file conversion skill. Before installing, note that it runs a Python script with uv and uses ReportLab; only convert files you trust and write PDFs to paths you intend to create or replace.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI05: Unexpected Code Execution

What this means

Installing or using the skill means allowing a local script to process files you choose.

Why it was flagged

The skill is invoked by running a local Python script. This is expected for a file conversion utility and is presented as a user-directed command.

Skill content

uv run scripts/md-to-pdf.py input.md

Recommendation

Use it on Markdown files you intend to convert, and choose output paths carefully to avoid overwriting files.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The converter may install or use a current ReportLab package from the configured Python package source.

Why it was flagged

The uv script declares a ReportLab dependency without a pinned version. This is common for small utility scripts, but it means dependency resolution depends on the package source at run time.

Skill content

# dependencies = [
#     "reportlab",
# ]

Recommendation

If using this in a controlled environment, pin dependency versions or run it with a trusted package index/cache.