ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill 2

v1.0.0

Convert Markdown text to beautifully styled, self-contained HTML with embedded CSS. Perfect for newsletters, documentation, reports, and email templates.

0· 516·1 current·1 all-time
by@claudiodrusus·duplicate of @claudiodrusus/markdown-to-html
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided files: a small, zero-dependency Python tool that converts Markdown to styled HTML with embedded CSS. The code implements the claimed features (headings, lists, links, images, code blocks, etc.), though 'Full Markdown support' is an optimistic claim (the converter is a hand-rolled subset, not a complete CommonMark implementation).
!
Instruction Scope
SKILL.md and main.py are scoped to reading a file or stdin and producing an HTML file (expected). However, the converter does not HTML-escape arbitrary non-code text nor sanitize links/images. That means user-supplied Markdown can inject raw HTML or create links with javascript: URIs, and produced HTML can cause remote resource loads (images) or XSS when opened in a browser. The README does not warn about these risks and 'self-contained' might be misread as 'no external resource loads' (only the CSS is embedded).
Install Mechanism
No install spec; instruction-only with a single local Python script that uses the standard library. Nothing is downloaded or written beyond outputs the script itself creates (the HTML output file). Low install risk.
Credentials
No environment variables, credentials, or config paths are requested — proportional and appropriate for a local file conversion utility.
Persistence & Privilege
No persistent or elevated privileges requested. always is false; the skill does not modify other skills or system configuration.
Assessment
This skill appears to do what it says and runs locally, but treat output HTML as potentially unsafe if the Markdown is untrusted. Before using with third-party or user-provided Markdown, either: (a) sanitize the input (or sanitize the produced HTML) to strip scripts, javascript: URIs, and dangerous tags/attributes (e.g., using html.escape or a library like bleach), (b) avoid opening generated HTML in a browser for untrusted content, or (c) extend the tool to escape HTML in non-code text and validate/relativize image/link URLs. Also note that images referenced in the Markdown will be loaded by a browser when the HTML is opened, which can leak requester IPs and other metadata. If you need robust CommonMark compliance and XSS protection, prefer a well-maintained Markdown library plus an HTML sanitizer.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emcb0n0rpn0y7435ey29w2d81n2vg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments