Agent Reader
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may execute npm-supplied code and download a browser dependency, so behavior can depend on the upstream package version and integrity.
The documented setup runs an external npm package without a version pin and may download Puppeteer at runtime. This is consistent with an MCP document renderer, but it creates normal package provenance and update risk.
"command": "npx", "args": ["-y", "agent-reader", "mcp"] ... "PDF export requires Puppeteer (auto-installed on first use)"
Install only from the intended npm/GitHub source, prefer pinning a package version, and review package or dependency changes before adding it to an MCP configuration.
If pointed at the wrong folder or Markdown source, generated documents could include unintended local images or resources.
The tool interface accepts local paths so it can include referenced images and build slideshows. This is expected for the stated purpose, but users still choose which local directories or resources are read into generated output.
"source_path": "Source markdown path for relative images; relative resources must stay under source directory." ... "image_dir": "Absolute or relative image directory path"
Invoke it only with intended Markdown and image paths, and review generated files before sharing them.