Skill 2

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward local Markdown-to-HTML converter, but users should only convert trusted Markdown because the generated HTML is not sanitized.

This skill is reasonable for local conversion of Markdown you control. Be cautious with Markdown from other people or external sources, because the produced HTML is not sanitized and may be unsafe to open in a browser or distribute as an email/template without additional cleanup.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

If the input Markdown is untrusted, the output HTML could preserve active or unsafe HTML content such as scripts, unsafe links, or injected attributes when opened or shared.

Why it was flagged

Most Markdown body text is inserted into the final HTML after regex substitutions, without general HTML escaping or sanitization.

Skill content

html_lines.append(inline(stripped)) ... result = f"""<!DOCTYPE html> ... <body>\n{body}\n</body>"""

Recommendation

Use this skill for trusted Markdown only, or add HTML escaping/sanitization before using the output in newsletters, documentation sites, or email templates.