ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baoyu Url To Markdown

v0.1.0

Fetch any URL and convert to markdown using Chrome CDP. Saves the rendered HTML snapshot alongside the markdown, uses an upgraded Defuddle pipeline with bett...

0· 177·0 current·0 all-time
by@nengnengz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (URL → markdown via Chrome CDP) aligns with the included TypeScript scripts. Required runtime helpers (bun or npx) are plausible for running the scripts. The code legitimately needs to launch/attach to Chrome, read/write EXTEND.md and output files, fetch external resources, and optionally call defuddle.md — all coherent with an archiver/conversion tool.
Instruction Scope
SKILL.md correctly instructs the agent to locate the scripts, prefer bun/npx, and to prompt the user for preferences before creating EXTEND.md. The code itself performs file I/O (reading/writing EXTEND.md, writing markdown and captured HTML, downloading media) and network I/O (fetching pages/media and defuddle.md). These actions are within the stated purpose. One mismatch: SKILL.md mandates a blocking AskUserQuestion flow on first run, but the provided main.ts does not itself enforce that flow — it relies on the agent to follow SKILL.md. Agents must therefore obey the SKILL.md requirement to avoid silently creating EXTEND.md.
Install Mechanism
There is no install spec (instruction-only install), which means nothing will be automatically downloaded by the registry. The package includes source files and an internal vendor folder for baoyu-chrome-cdp; no external arbitrary URLs or archive downloads are present in the manifest. Expect runtime dependency resolution (bun/npx) when executing the scripts.
Credentials
The skill declares no required env vars but the code tolerates and uses common environment variables (HOME, XDG_CONFIG_HOME) and optionally URL_CHROME_PATH to override the Chrome path. Those are reasonable for locating profile/config and Chrome. The skill will read/write EXTEND.md in project or user config locations and will create output directories — behavior consistent with its purpose but worth noting because it writes into the user's filesystem. No unrelated credentials or secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent inclusion or modify other skills. It writes its own config (EXTEND.md) and output files, and may launch or kill Chrome instances — this is appropriate for a browser-capture utility. Autonomous invocation is allowed (platform default) but does not combine with other red flags here.
Assessment
This skill will execute the included TypeScript code locally, launch or attach to a Chrome instance, fetch arbitrary URLs, optionally download linked media, and write markdown and HTML snapshot files to your filesystem (project dirs or ~/.baoyu-skills). It will fall back to the public defuddle.md service if local capture fails, which exposes the requested URL to that service. Before installing or running: (1) review the included scripts if you don't trust them; (2) be aware it will create EXTEND.md in your project or home and will download media into imgs/ or videos/ subfolders; (3) run it in a sandbox or with a dedicated Chrome profile if you want to avoid attaching to your personal browser; (4) ensure you want URLs you request to potentially be sent to defuddle.md on failure. Note: SKILL.md requires the agent to prompt the user (AskUserQuestion) before creating EXTEND.md — that flow depends on the agent following SKILL.md (the code does not itself enforce the interactive block).
scripts/vendor/baoyu-chrome-cdp/src/index.test.ts:89
Shell command execution detected (child_process).
scripts/vendor/baoyu-chrome-cdp/src/index.ts:220
Shell command execution detected (child_process).
scripts/vendor/baoyu-chrome-cdp/src/index.ts:97
Environment variable access combined with network send.
!
scripts/vendor/baoyu-chrome-cdp/src/index.ts:202
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dqzrrad6h1wwm4z355rcg61836x5y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binbun, npx

Comments