ClawHub

Markdown to Page

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward local Markdown-to-HTML converter, with the main caution that optional image embedding can copy local file contents into the generated HTML.

This skill looks reasonable for converting your own Markdown files into HTML. Be careful with `--embed-images`: it embeds local files referenced by image links directly into the output, so check the Markdown and generated HTML before sharing. Also note that the registry source/homepage are not provided, so treat the bundled Python script as code you should trust or inspect.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

A Markdown file with local image references can cause those referenced local files to be embedded into the HTML page, which could accidentally disclose private local content if the page is shared.

Why it was flagged

The optional image-embedding path reads local files referenced from Markdown image syntax and places their bytes into the generated HTML. This matches the advertised feature, but users should avoid using it on untrusted Markdown or review image paths before sharing the output.

Skill content
img_path = base_dir / src ... raw = img_path.read_bytes() ... data_uri = f'data:{mime};base64,{b64}'
Recommendation

Use `--embed-images` only for trusted Markdown, review image paths before generating or sharing the HTML, and consider restricting embedding to files under the input document directory with allowed image extensions.

#ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less information about where the script came from or where to verify updates.

Why it was flagged

The skill has limited provenance information. This is not suspicious by itself, especially because the visible behavior is coherent, but users have less external source context for the bundled script.

Skill content
Source: unknown; Homepage: none
Recommendation

Install only from a trusted registry context and review the bundled Python script before relying on it for important documents.