ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

markdown-to-html

v0.3.0

Convert a Markdown file or raw Markdown string into a polished HTML document. Supports custom Pandoc HTML templates, custom CSS, and includes built-in HTML t...

0· 26·0 current·0 all-time
byKing@mutour
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included artifacts: a Python converter (scripts/markdown_to_html.py), built-in templates and CSS, and CLI examples that call pandoc. The SKILL.md explicitly states the pandoc dependency, which the script enforces. There are no unrelated environment variables, binaries, or configuration paths requested.
Instruction Scope
Runtime instructions are focused on converting Markdown to HTML (file or string input), selecting templates/CSS, and writing output. The SKILL.md and script only reference the source Markdown, templates, CSS, and an optional resource path (defaulting to the input file's directory). There are no instructions to read unrelated system files, external credentials, or to exfiltrate data.
Install Mechanism
No install spec is provided (instruction-only); the script expects pandoc to be present on PATH. No downloads or archive extraction are performed by the skill itself. This is the low-risk pattern for a CLI helper that delegates conversion to an existing binary.
Credentials
The skill requests no environment variables, credentials, or config paths. It does read local files supplied by the user (input markdown, templates, CSS, optional metadata) which is proportional to its purpose. The only implicit permission is file system access to user-specified paths and the ability to run the pandoc binary.
Persistence & Privilege
The skill is not always-on and does not request elevated or persistent privileges. It does not modify other skills or system-wide configs. It writes the output HTML and may create a temporary source file for raw markdown (deleted on completion), which is normal for this utility.
Assessment
This skill appears to do exactly what it claims: call your local pandoc to convert Markdown using bundled or custom templates/CSS. Before installing/using it, ensure you trust the local pandoc binary (the script executes it via subprocess), and only run the tool on Markdown and templates from trusted sources—the generated HTML may include raw HTML from the input or templates, which could contain scripts when opened in a browser. If you use custom templates or CSS from third parties, inspect them first. Also ensure the script has permission only to access directories you intend (output path and resource path default to input's directory).

Like a lobster shell, security has layers — review code before you run it.

latestvk97bhhatf06sx3511c89p9nebn84b2vm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments