ClawHub

Doc2Markdown

v1.0.9

Lightweight document utility designed to convert files to Markdown (MD), built specifically for intelligent agents (e.g., OpenClaw, ClaudeCode) to read and p...

6· 182·2 current·2 all-time
by@haoyt27
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included Node script align: the skill requires node, uploads a file to lab.hjcloud.com to convert it, polls for status, downloads a ZIP and extracts it to the source directory. Required binaries and functionality are proportional to the stated purpose.
Instruction Scope
SKILL.md and the script consistently instruct uploading the provided file to the remote docchain service and saving the returned archive locally. This is in-scope for a conversion utility, but it does involve sending user files to an external service (explicitly documented). The instructions do not request unrelated files, env vars, or credentials. Review of the ZIP extraction implementation is recommended to ensure it sanitizes paths and avoids directory-traversal when writing files.
Install Mechanism
No install spec; this is an instruction-only skill with a bundled Node script. It does not download or install external code at runtime and relies only on built-in Node modules (fs, http/https, path). This is low-risk from an install-vector perspective.
Credentials
The skill requests no environment variables, no credentials, and no config paths. There are no indications it tries to access unrelated secrets or system-wide configuration.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills or system-wide agent settings per the provided code and metadata.
Assessment
This skill appears to do exactly what it says: it uploads the file you specify to the service at lab.hjcloud.com, waits for conversion, downloads a ZIP, and extracts Markdown locally. Before installing or using it: 1) Do not upload sensitive or confidential documents unless you trust the external service and its retention policy (SKILL.md warns about this). 2) If you are concerned about local extraction safety, review the script's ZIP-saving/extraction code (ensure it prevents path traversal and overwriting of unexpected files) or run conversions in an isolated environment. 3) Verify the external domain (lab.hjcloud.com) and its privacy/terms if you will process private data. If you want extra caution, test with non-sensitive sample files first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976p89j426xqbvwmabg3m9gm183qfzv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📄 Clawdis
Binsnode

Comments