md-pdf
v1.0.1Convert Markdown to polished PDF using Pandoc + XeLaTeX for print-quality or browser rendering with emoji and CSS support for rich visuals.
⭐ 0· 137·0 current·0 all-time
byKarl Zhu@karlzhu-zxc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: pandoc/xelatex pipeline (scripts/md2pdf.sh) and a browser-based pipeline (scripts/md2pdf-browser.sh + md2pdf_browser.js) are present. Required binaries and packages (pandoc, xelatex, node/npm, puppeteer-core, marked, twemoji) are appropriate for the stated functionality.
Instruction Scope
SKILL.md instructs the agent to run the included scripts and to provide an input markdown file; runtime code only reads the input file, renders to HTML, and prints to PDF. The browser pipeline does connect to a CDP endpoint (configurable via BROWSER_CDP_URL), which is explicitly documented and required for that pipeline.
Install Mechanism
There is no platform install spec in the registry; the repo includes an Ubuntu installer script that apt-installs pandoc/texlive/fonts/node/npm and the npm dependencies are installed at runtime via `npm install`. This is expected but carries normal package-manager and supply-chain risk (unlocked npm install). No obscure download URLs or extract-from-unknown-server steps are used; twemoji assets come from the public jsDelivr CDN.
Credentials
The skill does not require any declared credentials or config paths. The only optional environment variable referenced is BROWSER_CDP_URL to point the browser pipeline at a CDP endpoint, which is justified by the pipeline design.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify other skills or global agent config. Autonomous invocation is allowed by platform default but is not combined with unusual privileges here.
Assessment
This skill appears to do what it says, but consider these practical cautions before installing: 1) The browser pipeline can connect to any CDP URL you provide—avoid pointing it at remote or untrusted browsers because a connected CDP can expose browser state (tabs, cookies, etc.). Prefer a local Chrome instance (http://127.0.0.1:9222). 2) The npm dependencies are installed at runtime with `npm install` (no lockfile); standard supply-chain risks apply—inspect package.json and run in an isolated environment if you have strict security requirements. 3) The installer will run apt-get and requires sudo/root; review the install script if you must limit package installs. If those points are acceptable, the skill is coherent with its description.Like a lobster shell, security has layers — review code before you run it.
latestvk9727bx0nmwycswgancfcf47z183m1by
License
MIT-0
Free to use, modify, and redistribute. No attribution required.