ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill

v1.0.0

Convert any URL or file to Markdown. Supports webpage, WeChat, YouTube, Bilibili, Douyin, Xiaohongshu, PDF, and Office files.

0· 21·0 current·0 all-time
by@haiwenai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Declared dependencies (ffmpeg, yt-dlp, whisper) are consistent with video/audio download + ASR for a converter. However: deno is installed by the spec but never referenced in the runtime instructions, and the primary runtime command is 'tomd' with no explanation where that comes from (the uv package points to a GitHub repo, which likely supplies tomd). The presence of both a brew 'openai-whisper' and a python3 requirement is redundant but explainable. These are plausibly legitimate but the extra/unused installs are unexplained.
!
Instruction Scope
The SKILL.md states that if YouTube requires sign-in, 'tomd will automatically retry with browser cookies from Chrome.' That implies reading Chrome cookie/profile files (sensitive data) from the user's system. The instructions do not limit or document this behavior, nor do they provide a safe fallback. Also the doc tells the agent how to install tomd from a remote git URL if missing, which means downloading and installing third‑party code at runtime.
Install Mechanism
Installs common tooling via Homebrew (yt-dlp, deno, ffmpeg, openai-whisper) which is reasonable. The uv install pulls 'anything-to-md' directly from a GitHub repo (git+https://github.com/...), which will download and install upstream code — expected for a third-party CLI but higher-risk than using a vetted release package. The SKILL.md contains a confusing install line 'uv pip install "anything-to-md[video] @ git+https://..."' (mixes uv and pip syntax), indicating sloppy or ambiguous install instructions.
!
Credentials
No environment variables or credentials are declared or required, which is appropriate. However, the implicit use of Chrome browser cookies (to bypass YouTube sign-in) is a disproportionate access to sensitive local secrets and is not declared in requires/config paths. The skill may attempt to read local browser data without the user explicitly providing or consenting to it.
Persistence & Privilege
The skill does not request always:true and does not declare config paths or other persistent privileges. It does install third-party tooling into the environment (brew/uv), which is normal for CLI wrappers but not privileged beyond that.
What to consider before installing
This skill appears to do what it claims (convert webpages and videos to Markdown) but exercise caution before installing: - Review the GitHub repo (https://github.com/haiwenai/anything-to-md) before installing code from it; the uv install pulls code directly from that repo. - Be aware that the tool may try to read Chrome browser cookies to access YouTube content; that can expose sensitive session data. If you don't want that, run the tool in a sandbox/container or deny it access to your browser profile. - The SKILL.md mixes install instructions (e.g., 'uv pip install ...') and includes redundant packages (deno vs python3/whisper); clarify which runtime is actually used (inspect the repo) before adding these binaries system‑wide. - Prefer testing in an isolated environment (container or VM) and inspect what the 'tomd' CLI does (look for code that reads files like browser profile paths) before giving the tool access to local files. If you need help checking the GitHub code for the exact cookie-access behavior or clarifying the install commands, provide the repo contents or allow a deeper review.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📄 Clawdis
Binspython3, ffmpeg

Install

Homebrew
Bins: yt-dlp
brew install yt-dlp
Homebrew
Bins: deno
brew install deno
Homebrew
Bins: ffmpeg
brew install ffmpeg
Homebrew
Bins: whisper
brew install openai-whisper
uv
latestvk979wcf3ddy25mhqtqq7nbk71h859bh3
21downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
@haiwenai
latest
Download

anything-to-md

Convert any URL or file to high-quality Markdown using the tomd command.

Supported Inputs

  • Webpage URL — any website article
  • WeChat articlemp.weixin.qq.com links
  • YouTube video — extracts subtitles or downloads audio for ASR transcription
  • Bilibili video — downloads audio and transcribes via Whisper ASR
  • Douyin video — extracts from iesdouyin (zero-dependency), transcribes audio
  • Xiaohongshu post — image/video notes, supports share text with URL extraction
  • Local files — PDF, DOCX, PPTX, XLSX, EPUB, CSV, JSON, etc.

How to Use

When the user provides a URL or file path and asks to convert it to Markdown, run:

tomd "<input>" --stdout

Where <input> is:

  • A URL: https://example.com/article
  • A share text containing a URL (common for Douyin/Xiaohongshu): "照着做!... http://xhslink.com/xxx ..."
  • A local file path: ~/Documents/paper.pdf

Options

  • --stdout — output Markdown to stdout (default when used as a skill)
  • -o <path> — save to a specific file
  • -d <dir> — save to a specific directory
  • --type <type> — force input type: webpage, wechat, youtube, bilibili, douyin, xiaohongshu, file
  • -v — verbose output with progress logs

Examples

# Convert a webpage
tomd "https://example.com/article" --stdout

# Convert a YouTube video (extracts subtitles or ASR)
tomd "https://www.youtube.com/watch?v=xxxxx" --stdout

# Convert a WeChat article
tomd "https://mp.weixin.qq.com/s/abc123" --stdout

# Convert a Bilibili video
tomd "https://www.bilibili.com/video/BVxxx" --stdout

# Convert from Douyin share text
tomd "https://v.douyin.com/xxx" --stdout

# Convert a Xiaohongshu post
tomd "https://www.xiaohongshu.com/explore/xxx" --stdout

# Convert a local PDF
tomd ~/Documents/paper.pdf --stdout

Output Format

The output is Markdown with YAML frontmatter containing metadata:

---
title: Article Title
author: Author Name
source_url: https://...
source_type: webpage
date: 2026-04-22
---

Article content in Markdown...

For video content, the output includes a ## Transcript section with timestamped text.

Error Handling

  • If tomd is not found, install it: uv pip install "anything-to-md[video] @ git+https://github.com/haiwenai/anything-to-md.git"
  • If ffmpeg is not found: brew install ffmpeg
  • If yt-dlp is not found: brew install yt-dlp
  • If YouTube returns "Sign in to confirm you're not a bot", tomd will automatically retry with browser cookies from Chrome
  • Use -v flag for detailed error diagnosis

Comments

Loading comments...