ClawHub

Md To Share

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a coherent Markdown-to-image converter, with the main things to notice being its Playwright/Chromium install behavior and optional instructions for sending generated images to messaging channels.

This skill looks reasonable for converting Markdown into shareable images. Before installing, be aware that npm installation may fetch Playwright Chromium, and before sharing an output image, confirm the target channel and check that the Markdown does not contain private information.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the package may download a browser binary and dependencies before use.

Why it was flagged

Running npm install can download Playwright Chromium and resolve semver-ranged dependencies. This is consistent with the documented browser-rendering purpose, but it is still a networked supply-chain step users should recognize.

Skill content
"postinstall": "npx playwright install chromium", ... "dependencies": { "marked": "^17.0.4", "playwright": "^1.52.0" }
Recommendation

Install from a trusted source, review package changes before updating, and prefer a lockfile or pinned dependency versions in controlled environments.

#ASI02: Tool Misuse and Exploitation
Info
What this means

If used to share, the generated image may be posted to an external chat or channel.

Why it was flagged

The skill documents how an agent can send the generated image through a messaging tool. This matches the sharing use case and uses placeholder targets, but sending media to a channel is an external action that should remain user-directed.

Skill content
"Use the message tool's media parameter" ... "action": "send", "target": "channel_id", "media": "/full/path/to/image.jpg"
Recommendation

Confirm the destination channel and image content before asking the agent to send it, especially for private Markdown files.