ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

md2pdf-xelatex

v1.0.0

Convert Markdown files to PDF with full LaTeX math formula rendering and CJK (Chinese/Japanese/Korean) support. Use when the user asks to convert markdown to...

0· 642·0 current·0 all-time
byYuno Wang@huaruoji
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, and included script all align: they implement Markdown→PDF conversion with XeLaTeX and CJK support. However, the registry metadata lists no required binaries or env vars while SKILL.md and scripts explicitly require pandoc, xelatex (texlive-xetex), fc-list (fontconfig), and pdfinfo (poppler-utils). This mismatch is an informational inconsistency that the user should be aware of.
Instruction Scope
SKILL.md and scripts operate on the provided input file, sanitize emoji/quotes, detect CJK via Unicode ranges, probe local fonts (fc-list), write a temporary header.tex, invoke pandoc/xelatex to produce a PDF, and remove temp files. The instructions do not read unrelated system files, contact external endpoints, or request additional credentials.
Install Mechanism
There is no install spec (instruction-only) and the script is included in the package. Nothing is downloaded or executed from external URLs. The script relies on system packages being installed via the platform package manager, which is a low-risk approach.
Credentials
The skill requests no environment variables or credentials. The tools it uses (pandoc, xelatex, fc-list, pdfinfo) are consistent with the stated purpose. No secrets are requested or referenced.
Persistence & Privilege
The skill does not request persistent or elevated privileges and always:false. It does not modify other skills or global agent settings; it only creates and cleans a temporary working directory for each run.
Assessment
This skill appears to do what it says: convert Markdown to PDF with math and CJK support, using a bundled, readable shell script. Before installing or running it: 1) Ensure the host has the required system packages (pandoc, texlive-xetex and related texlive fonts, fontconfig providing fc-list, and poppler-utils/pdfinfo) — SKILL.md lists apt packages but the registry metadata omitted required binaries. 2) Because the registry source/homepage is missing, review the included script (scripts/md2pdf.sh) yourself (it is included) and optionally run it on non-sensitive sample files first. 3) Expect the script to probe local fonts (fc-list) and create temporary files in a temp dir that it deletes on exit. 4) If you need stricter safety, run inside a sandbox or VM with limited network and filesystem access. If these checks are acceptable, the skill is coherent and low risk to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ahyv5s6nrnmkvee539tkbgn81kbw7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments