ClawHub

Make To Markdown

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine document-to-Markdown converter, but it automatically installs persistent dependencies and its scripts do not enforce some documented confirmation safeguards for overwrites and batch work.

Install only if you are comfortable with first-run network access and persistent package/tool installation. Prefer using it in a virtual environment or container, review output paths before running, avoid untrusted Office documents unless LibreOffice/Office is patched and sandboxed, and use a dedicated output directory for batch conversion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        print(f"  [INFO] 将执行: pip install {pkg_name}(从 PyPI 下载,约数 MB,不会上传本机数据)")
        print(f"  [依赖] 安装 {pkg_name} ...", end='', flush=True)
        result = subprocess.run(
            [sys.executable, '-m', 'pip', 'install', pkg_name, '-q'],
            capture_output=True, text=True, timeout=120,
        )
Confidence
97% confidence
Finding
result = subprocess.run( [sys.executable, '-m', 'pip', 'install', pkg_name, '-q'], capture_output=True, text=True, timeout=120, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 去重并安装
    unique_pkgs = list(dict.fromkeys(extra_pkgs))
    try:
        subprocess.run(
            [uv_bin, 'tool', 'install', 'markitdown', '--force']
            + [f'--with={pkg}' for pkg in unique_pkgs],
            capture_output=True, text=True, timeout=180,
Confidence
98% confidence
Finding
subprocess.run( [uv_bin, 'tool', 'install', 'markitdown', '--force'] + [f'--with={pkg}' for pkg in unique_pkgs], capture_output=True, text=True, timeout=180

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
                abs_input = os.path.abspath(input_path)
                abs_output = os.path.abspath(output_dir)
                result = subprocess.run(
                    [soffice, '--headless', '--convert-to', convert_to,
                     '--outdir', abs_output, abs_input],
                    capture_output=True, text=True, timeout=60,
Confidence
66% confidence
Finding
result = subprocess.run( [soffice, '--headless', '--convert-to', convert_to, '--outdir', abs_output, abs_input], capture_ou

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if info.is_windows:
        kwargs.setdefault("shell", True)
        kwargs.setdefault("encoding", "utf-8")
    return subprocess.run(cmd, **kwargs)


# ── 模块自测 ──
Confidence
93% confidence
Finding
return subprocess.run(cmd, **kwargs)

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The skill exceeds its apparent purpose by automatically installing packages from package registries during file conversion. That creates a significant supply-chain and remote-code-execution risk because registry content is executed in the local environment, and users may not expect a conversion skill to modify the host system.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Installing extras such as YouTube transcript support broadens the skill from local document conversion into network-reliant capability, increasing attack surface and data-flow complexity. In this context that scope expansion is risky because it happens implicitly and may expose the environment to unnecessary external dependencies and outbound requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises automatic dependency installation and platform-specific external processing, but does not clearly warn users that running the tool may modify the local environment and initiate outbound network access to install packages. In an agent skill context, this is security-relevant because users may expect document conversion only, not implicit package installation or invocation of external components such as Office/LibreOffice-based preprocessors.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The batch conversion documentation describes recursive processing and error logging, but does not clearly emphasize that running the tool can write transformed content and log files across entire directory trees. In a bulk-processing skill, unclear write-scope disclosure can lead to unintended data modification, storage of sensitive derived content, or accidental processing of directories the user did not mean to target.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal