ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

sawana-multicul/official-docs-to-mdx

v1.0.0

Download and normalize official documentation pages into local .mdx files at user-specified paths using markdown.new. Use when user asks to fetch docs from a...

0· 373·0 current·0 all-time
by@multicul-silver-wolf·duplicate of @multicul-silver-wolf/sawana-multicul
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say: fetch docs via markdown.new and produce .mdx snapshots. The included shell script and SKILL.md perform exactly that (curl to markdown.new, extract Markdown Content, normalize frontmatter, write output). No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
Runtime instructions are narrowly scoped: run the provided script with a source URL and output path. SKILL.md also instructs the agent to add index.mdx files for folders (post-processing), which the bundled script does not perform; that requires the agent to modify or create other files in the workspace. This is reasonable for a docs-snapshot workflow but worth noting because the agent will write/overwrite files.
Install Mechanism
There is no external install step or remote download; the behavior is implemented entirely by the included shell script. This minimizes install-time risk.
Credentials
The skill requests no environment variables or credentials. It uses standard CLI tools (bash, curl, awk, mktemp, date) which are declared in SKILL.md and appropriate for the task.
Persistence & Privilege
always:false and no platform-wide changes. The script will create directories and overwrite the specified output file without additional confirmation; users should avoid passing sensitive system paths as the output path. Autonomous invocation is allowed by default (normal) but not elevated here.
Scan Findings in Context
[unicode-control-chars] expected: A zero-width-space / unicode control character appears in the AWK regex used to strip Docusaurus 'direct link' anchor fragments. This is likely intentional to match the literal artifact (e.g., '[ ](#...)') and is consistent with the script's cleanup goals, but it does embed an invisible character which can look like obfuscation.
Assessment
This skill is coherent with its stated goal, but before installing: 1) Understand it fetches content via https://markdown.new/<your-supplied-URL> — you are trusting that external service to retrieve and render the page. 2) The script will overwrite the output path you provide and will create parent directories; do not point it at system or important files. 3) If you plan to run it autonomously, review generated MDX for sensitive content before distributing. 4) The presence of an invisible unicode character in a regex is probably benign (it matches Docusaurus anchor markers) but you can inspect the script locally to confirm it does only the described cleaning steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk975gbbr0sx2xg55h36wwe9dx1821pft

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments