v1.0.1

Markdown to Word

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:12 AM.

Analysis

The provided artifacts look like a normal Markdown-to-Word converter, with expected but noteworthy local tooling, dependency installation, and remote-image download behavior.

GuidanceThis skill appears reasonable for converting Markdown to Word. Before installing, use an isolated Python environment, be aware that optional Mermaid support runs a local CLI, and review Markdown files for remote image links if outbound network access or privacy is a concern.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

pip install python-docx Pillow beautifulsoup4 PyYAML ... npm install -g @mermaid-js/mermaid-cli

The skill instructs users to install public Python and npm packages, including an optional global npm package, without version pinning. This is purpose-aligned for document conversion and Mermaid rendering, but users should notice the supply-chain dependency.

User impactInstalling these packages gives third-party package code access to the local Python/npm environment used for conversion.

RecommendationInstall dependencies in a virtual environment or other isolated workspace, and use trusted package sources/versions where possible.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/chart_handler.py

cmd = [mmdc_path, "-i", abs_in, "-o", abs_out, "-t", "neutral", "-w", "2200", "-H", "1500", "--scale", "2.0"] ... subprocess.run(cmd, capture_output=True, text=True, timeout=30)

The skill can run the local Mermaid CLI to render diagrams. This is expected for Mermaid support and uses an argument list plus timeout, but it is still local command execution.

User impactIf Mermaid rendering is enabled, conversion can invoke an external local program on diagram content from the Markdown file.

RecommendationUse the optional Mermaid CLI only when needed, keep it updated, and avoid converting untrusted Markdown diagrams in sensitive environments.

Tool Misuse and Exploitation

SeverityLowConfidenceMediumStatusNote

CHANGELOG.md

外部URL图片支持: 支持从 Markdown 中的外部 URL 图片自动下载并嵌入 Word 文档 ... 通过 urllib.request 下载外链图片 ... 支持本地路径图片和 HTTP/HTTPS 外链图片

The artifacts document automatic downloading of HTTP/HTTPS images referenced by Markdown. This is purpose-aligned for image embedding, but Markdown-controlled URLs can cause outbound web requests during conversion.

User impactConverting a Markdown file with remote images may contact third-party websites and reveal network metadata such as the converter machine's IP address.

RecommendationConvert trusted Markdown, remove or review remote image links when privacy matters, and consider blocking outbound network access if remote image fetching is not desired.