ClawHub

Markdown Exporter

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: markdown-exporter Version: 3.6.10 The skill bundle is classified as benign. The `SKILL.md` file provides clear, functional instructions for an AI agent to use the `markdown-exporter` command-line tool for various file conversions. There is no evidence of intentional malicious behavior such as data exfiltration, persistence mechanisms, obfuscation, or prompt injection attempts designed to subvert the agent's purpose. While executing external commands with user-provided file paths inherently carries a risk of shell injection if the OpenClaw agent runtime does not properly sanitize inputs, this is a platform-level vulnerability rather than malicious intent within the skill's definition itself. The skill's described functionality (file conversion) legitimately requires file system and command execution access.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the skill gives the external md-exporter package the ability to run as the markdown-exporter command on local files.

Why it was flagged

The skill depends on installing an external package to provide the CLI binary. This is normal for the stated converter purpose, but the executable package code is not included in the provided artifact set.

Skill content
uv | package: md-exporter | creates binaries: markdown-exporter
Recommendation

Install only if you trust the PyPI package and linked project; consider checking the package version and repository before use.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

The tool may create or overwrite output files if directed to paths the user or agent provides.

Why it was flagged

The skill exposes a local command-line tool that takes input and output file paths. This is central to the conversion workflow, but it means the agent can read specified Markdown files and write converted files.

Skill content
markdown-exporter <subcommand> <args> [options]
Recommendation

Use explicit, intended input and output paths, and avoid pointing it at sensitive files or important existing files unless that is your goal.