Back to skill
Skillv0.1.8
ClawScan security
RenderMark · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 8:40 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- RenderMark's stated purpose (markdown rendering, export, publishing) matches its requested binaries, config path, install step, and runtime instructions — the artifact is internally coherent though it relies on a remote npm package that you should trust before installing.
- Guidance
- This skill appears internally consistent for a markdown-rendering/publishing tool. Before installing: (1) verify the npm package and maintainer (check the @rendermark/mcp-server package page and the homepage https://rendermark.app), (2) review any code in the npm package if possible because npx runs remote code, (3) only store API keys or OAuth client secrets in ~/.rendermark/config.json if you trust the service and consider scoping/rotating keys, (4) be aware PDF/image export may require a browser engine or a third-party Browserless API key (which you must trust), and (5) note that publishing/deleting documents acts on your RenderMark account—use caution when invoking destructive operations like delete_document. If you want lower risk, avoid running npx with -y and inspect the package version first.
Review Dimensions
- Purpose & Capability
- okThe name/description (rendering, export, publish) align with declared requirements: npx/Node, an API key (RENDERMARK_API_KEY), and a home config (~/.rendermark/config.json). Google OAuth and Browserless keys are optional and clearly tied to Google Docs and PDF/image export features.
- Instruction Scope
- okSKILL.md instructions are scoped to document rendering/publishing tasks. They reference only the declared config file and API key, describe optional Google OAuth and browser engine requirements, and do not instruct reading unrelated system files or exfiltrating data to unknown endpoints.
- Install Mechanism
- noteInstall uses an npm package (@rendermark/mcp-server) invoked via npx, which is a standard pattern for Node CLIs but executes code fetched from the npm registry at install/run time. This is expected for a Node-based tool but carries the usual trust/risk of running remote packages.
- Credentials
- okOnly a single primary credential (RENDERMARK_API_KEY) and a user-home config path are required; optional credentials (browserless API key, Google OAuth client/secret) are justified by corresponding features (PDF/image export, Google Docs). No unrelated secrets or excessive environment access are requested.
- Persistence & Privilege
- okSkill is not forced-always, and autonomous invocation is default platform behavior. The skill installs a CLI binary (rendermark-mcp) via the declared npm package; it does not declare system-wide configuration changes beyond the user's home config. No unexpected privilege escalation is requested.