Markdown.new Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: markdown-convert Version: 1.0.0 The `scripts/markdown_new_fetch.py` script contains two significant vulnerabilities. The `--api-url` argument allows the agent to send the target URL's content to an arbitrary endpoint, posing an SSRF/data exfiltration risk if an attacker can control this parameter via prompt injection. Additionally, the `--output` argument allows writing the converted markdown to an arbitrary file path, which could lead to arbitrary file writes if an attacker can manipulate the agent's input. While these are critical vulnerabilities, there is no clear evidence of intentional malicious design (e.g., hardcoded malicious domains, exfiltration of local secrets, or persistence mechanisms); the script's core function is legitimate. Therefore, it is classified as suspicious due to these exploitable capabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user supplies a private, internal, or sensitive URL, that URL would be sent to a third-party service.
The script sends the requested URL and conversion options to the external markdown.new service. This is disclosed and central to the skill, but it means the provider receives the URL.
DEFAULT_API_URL = "https://markdown.new/" ... payload = {"url": args.url, "method": args.method, "retain_images": bool(args.retain_images)}Use this skill only with public URLs and avoid submitting private, authenticated, internal, or confidential links.
Converted pages could influence an agent or RAG pipeline if their text is treated as instructions instead of untrusted source material.
The skill prepares arbitrary public web page content for LLM and RAG workflows. Such content can contain misleading or adversarial instructions even after conversion to Markdown.
Use when tasks require URL-to-Markdown conversion for summarization, RAG ingestion, extraction, archiving...
Treat converted Markdown as untrusted quoted content, verify critical extractions, and avoid letting page text override user or system instructions.
Users have less registry-level assurance about where the helper script came from or what runtime requirement, such as Python, is expected.
The registry metadata does not provide source provenance or an install spec, while the skill includes and documents a Python helper script. The helper script is coherent with the purpose, but users should be aware of the provenance gap.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... Code file presence: scripts/markdown_new_fetch.py
Review the included script before use and ensure Python 3 is available; prefer installing from a trusted source if available.