ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Markdown.new Skill

v1.0.0

Convert public web pages into clean Markdown with markdown.new for AI workflows. Use when tasks require URL-to-Markdown conversion for summarization, RAG ing...

40· 17.9k·31 current·35 all-time
by@joelchance
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (URL→Markdown via markdown.new) matches the included script and docs. No unrelated credentials, binaries, or install steps are requested; the payload (POST to https://markdown.new/) is exactly what this skill needs.
Instruction Scope
SKILL.md keeps to the task (validate public http/https URLs, call markdown.new, handle rate limits, write output). It explicitly warns to convert only public pages. Note: instructions emphasize running the script from the skill directory and capturing response headers/metadata; the script can write files when --output/--deliver-md is used, so users should be mindful of output paths.
Install Mechanism
No install spec (instruction-only plus a small script). Nothing is downloaded or extracted by the skill at install time, which reduces risk.
Credentials
The skill requests no environment variables or secrets. However, it sends target URLs to an external service (markdown.new). That is expected for the stated purpose but can leak internal hostnames or private URLs if misused; SKILL.md's guidance to only convert public pages is appropriate and should be followed.
Persistence & Privilege
No 'always: true' or other elevated persistence; user-invocable and agent-autonomy are default and appropriate. The skill does not modify other skills or system-wide config.
Assessment
This skill is internally coherent and simple: it posts the target URL to the markdown.new service and returns Markdown. Before installing or using it, 1) avoid passing private, internal, or paywalled URLs (those URLs will be sent to an external service and could leak information); 2) be careful where you write outputs (the script will create directories and files if you use --output or --deliver-md); 3) the script accepts an --api-url override — only use trusted endpoints (changing this could send URLs to a different, possibly malicious service); and 4) test the skill in a safe environment first (use a public, non-sensitive URL) to confirm behavior. If you need conversion of internal content, consider running a self-hosted conversion tool or verifying the markdown.new service's privacy/terms first.

Like a lobster shell, security has layers — review code before you run it.

latestvk970f2sjm31ffwqb0qmj3jrsp981fvjm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments