MDshare Agent
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: mdshare-agent Version: 1.0.0 The mdshare-agent skill is a legitimate utility for managing temporary Markdown shares via the MDShare service (https://share.yekyos.com). The skill includes well-defined API interactions and workflows that align with its stated purpose of anonymous publishing. Notably, it contains proactive security instructions for the agent, such as protecting sensitive owner/editor tokens and requiring explicit user confirmation before accessing 'burn-after-read' content or forcing updates, with no evidence of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Content may leave the local conversation and become reachable by link through the selected MDShare service.
Markdown content is sent to an external MDShare deployment, and the selected deployment can change if the caller provides a different base URL.
Default base URL: `https://share.yekyos.com`; If the caller provides another deployment, use that instead. ... Send `POST /api/shares` with JSON: `markdownContent`
Verify the base URL and only publish Markdown that the user intends to share through that deployment.
Anyone who obtains a manage or edit link can perform the permissions associated with that token; the owner token can delete or change settings.
The manage/edit URLs and `x-share-token` header act as bearer permissions for editing, changing settings, or deleting a share.
Manage: `{baseUrl}/e/{slug}#manage={ownerToken}` ... Use header: `x-share-token: <token>`Keep manage/edit links private and return or share them only when the user needs those capabilities.
A mistaken target link, token, or confirmation could update or delete a temporary share.
The documented workflows can modify or delete remote shares, but they include user-control safeguards such as explicit confirmation for force overwrite and delete when intent is not already clear.
When saving new Markdown, send `PATCH /api/shares/{slug}/manage` ... Only use `force: true` after explicit confirmation. ... Call `DELETE /api/shares/{slug}/manage`.Review the target share and requested action before update/delete operations, and preserve the explicit confirmation guardrails.