ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SmartPage

v1.0.0

Auto-fit Markdown to one A4 page. Binary search optimal font size, render with 10 themes, export PDF+PNG+MD.

0· 101·0 current·0 all-time
byLaurence Rotolo@fxjhello

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for fxjhello/smartpage.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SmartPage" (fxjhello/smartpage) from ClawHub.
Skill page: https://clawhub.ai/fxjhello/smartpage
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: npm
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install smartpage

ClawHub CLI

Package manager switcher

npx clawhub@latest install smartpage
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The described functionality legitimately needs a Node-based CLI, so requiring npm makes sense. However the SKILL.md explicitly uses git clone but the registry metadata did not declare git as a required binary. The CLI invocation 'npm smartpage' is not a standard npm command (expected patterns would be 'npx smartpage' or 'npm run <script>'), which is an internal inconsistency.
!
Instruction Scope
Instructions tell the agent to clone https://github.com/fxjhello/SmartPage.git, run 'npm install', write outputs to the user's desktop, read the generated files, and (optionally) start a dev server and open localhost in a browser. These steps will cause the agent to download and execute remote code and read/write local files. The scope of actions (especially running unvetted npm installs and launching a dev server) is broader than 'formatting a single document' and requires user consent and sandboxing.
!
Install Mechanism
There is no formal install spec — the SKILL.md tells the agent to clone a GitHub repo and run 'npm install'. That downloads arbitrary code and packages (including possible postinstall scripts) from an unverified source. The repo owner/URL is provided but there's no homepage, release host, or verification. This is a moderate-to-high risk install pattern unless the repo/package is audited.
Credentials
The skill requests no environment variables or credentials (good). It does require filesystem access to write/read output (desktop path), which is proportional to creating files but should be limited to a user-approved directory. No other environment access is requested.
Persistence & Privilege
The skill does not request always-on presence and does not declare elevated privileges. It does instruct launching a dev server and opening a browser, which is local and optional; this is not a permission escalation but increases attack surface if the code is untrusted.
What to consider before installing
This skill may do what it promises, but the runtime steps include cloning and running code from an unknown GitHub repo with 'npm install' (which can execute arbitrary scripts). Before installing or running: 1) Ask the publisher for a homepage or a verified release (GitHub release tag, npm package name). 2) Verify the repository and inspect package.json and postinstall scripts. 3) Note the SKILL.md is inconsistent (it uses git but doesn't declare git; 'npm smartpage' is not a standard npm command) — ask the author to clarify the exact CLI invocation. 4) If you must try it, run the repo in an isolated environment (container or VM) and set output-dir to a temporary folder (not your Desktop). 5) Do not run 'npm install' or start the dev server on a sensitive machine until you or someone you trust has audited the code. Absence of automated scan findings here does not mean the code is safe.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnpm
latestvk97awtmxhdvbc6ge7nxz75kn39841q40
101downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
Laurence Rotolo@fxjhello
latest
Download

Workflow

When user asks to format/layout a document to one A4 page:

  1. Setup (if repo not present):

    git clone https://github.com/fxjhello/SmartPage.git
cd SmartPage
npm install

  2. Convert source (PDF/DOCX/Excel) to Markdown first if needed

  3. Write Markdown to a temp file

  4. Run CLI (default output to user desktop):

    npm smartpage <file.md> --theme <theme> --output-dir <user-desktop-path>

  5. Read output files (PDF/PNG/MD), send to user

  6. After delivery, ALWAYS:

    • Ask: 效果满意吗?如需微调可以帮你打开 Web 编辑器
    • If user wants to tweak, start the dev server and open the browser: 
      cd SmartPage
npm run dev
      Then open http://localhost:5173 in the browser for the user.

CLI Options

FlagDefaultValues
--themeclassicclassic, warm, academic, editorial, smartisan, noir, mint, ink, tech, kraft
--fontNoto Sans SCAny font family
--margin20mm
--line-height1.5ratio
--paragraph-spacing0.5em
--first-line-indent0em
--output-dir(current dir)Path
--output-nameoutputName without extension

Comments

Loading comments...