ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

File Converter

v1.0.0

File format conversion skill. Convert between PDF, DOCX, Markdown, HTML, images, audio, and video formats.

0· 70·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims a wide set of file conversions but declares no required binaries, no dependencies, and provides no code. Real converters typically need tools like ffmpeg, imagemagick, pandoc, or a bundled script. The SKILL.md expects scripts/convert.py to exist, but there are no code files or install instructions. This mismatch is not coherent with the stated purpose.
!
Instruction Scope
Runtime instructions explicitly tell the agent to run `python3 scripts/convert.py` and operate on arbitrary filesystem paths (e.g., ./document.docx, ./images/). That is within the general conversion purpose, but the instructions give no source for the script, no safety checks, and no constraints. If a convert.py is present or later introduced, the agent could execute arbitrary Python on user files; if it's absent, the skill is non-functional. The instructions are therefore incomplete and potentially risky.
Install Mechanism
There is no install spec (instruction-only), which minimizes automatic code installation risk. However, because the instructions reference a local script and conversion tools, the lack of any install or dependency declaration increases ambiguity about where converting functionality is supposed to come from.
Credentials
The skill requests no environment variables, credentials, or config paths — that is proportionate for a local file-conversion utility. There are no unexplained secret requests.
Persistence & Privilege
Flags are default (always: false, user-invocable: true, model invocation allowed). The skill does not request persistent presence or cross-skill/system configuration changes.
What to consider before installing
This skill looks incomplete: it tells the agent to run scripts/convert.py but the package contains no code and no install instructions. Before installing or using it, ask or verify: 1) Where does scripts/convert.py come from? Can you inspect its source? 2) What external tools are required (ffmpeg, pandoc, imagemagick, libreoffice)? 3) Is there an official source or repository/homepage for the skill and a published install process? 4) Avoid running it on sensitive files until you can review the script. If the author provides the convert.py source or a trustworthy install spec that matches the SKILL.md, re-evaluate — that would reduce the concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk970cwet9yq6a32r2a4nt2qmps83gcvr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments