ClawHub

HTML to PDF

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to do the advertised HTML/URL-to-PDF conversion, but users should be cautious with the manual Puppeteer/Chromium install and optional troubleshooting steps that weaken browser protections.

This skill is generally purpose-aligned. Before installing, use a trusted npm setup, consider pinning Puppeteer, and leave Chromium sandboxing enabled. Avoid converting untrusted HTML or URLs unless you run the tool in an isolated environment.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the dependency pulls remote code and a Chromium binary onto the user's machine.

Why it was flagged

The skill depends on an unpinned npm install that downloads a browser runtime; this is expected for Puppeteer but expands installation trust beyond the included skill files.

Skill content
npm install puppeteer

This automatically downloads a compatible version of Chromium.
Recommendation

Install from a trusted npm environment, consider pinning Puppeteer versions in a project, and review dependency provenance before use.

#ASI02: Tool Misuse and Exploitation
Low
What this means

If a user follows these troubleshooting steps, malicious or compromised web content may have less browser/OS containment during conversion.

Why it was flagged

The setup guide suggests optional troubleshooting steps that weaken browser or OS protections; they are not default code behavior, but they matter because the skill can render arbitrary HTML or URLs.

Skill content
Try launching with minimal sandbox:
# const browser = await puppeteer.launch({ headless: 'new', args: ['--no-sandbox'] });
...
# Allow unsigned app
xattr -d com.apple.quarantine /path/to/chrome
Recommendation

Keep Chromium sandboxing enabled whenever possible, avoid removing quarantine from untrusted binaries, and use an isolated environment if converting untrusted HTML or URLs.