ClawHub

HackMD

v1.0.0

Work with HackMD documents. Use when reading, creating, updating, or deleting notes on HackMD. Supports change tracking to detect document modifications since last check. Supports personal and team workspaces.

0· 974·0 current·0 all-time
by@nulltea
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the actions implemented: reading, creating, updating, deleting HackMD notes and change-tracking. The skill requires hackmd-cli and an HMD_API_ACCESS_TOKEN which are expected for this integration.
Instruction Scope
Runtime instructions are constrained to installing/using hackmd-cli and a local Node script that calls the HackMD API and stores tracking state in ./ .hackmd/tracked-notes.json. One caveat: the script reads an additional environment variable (HMD_API_ENDPOINT_URL) to override the API base, but that env var is not documented in SKILL.md or listed in the declared requires.env.
Install Mechanism
There is no automatic install spec; SKILL.md instructs the user to run npm install -g @hackmd/hackmd-cli. No remote, opaque downloads or archive extraction are performed by the skill package itself.
Credentials
The declared primary credential is HMD_API_ACCESS_TOKEN which is appropriate. The code also reads HMD_API_ENDPOINT_URL (undocumented) as an alternate API endpoint — this is an additional environment input that was not declared in requires.env and should be documented/considered before use.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It stores state only under the current working directory in .hackmd/tracked-notes.json and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: it wraps hackmd-cli and includes a small Node script to track note changes locally. Before installing: - Ensure HMD_API_ACCESS_TOKEN is scoped appropriately (only give the token the minimum permissions needed). - Confirm you have node and the hackmd-cli installed (SKILL.md directs npm -g install). Note: meta.json lists node as required even though the registry top-level requirements only list hackmd-cli—you will need node to run scripts. - Be aware the tracker writes state to a .hackmd directory in whatever working directory you run it from (./.hackmd/tracked-notes.json). - The script supports an undocumented HMD_API_ENDPOINT_URL env var to change the API base; if you set this, ensure it's a trusted endpoint. If you want full assurance, review scripts/hackmd-track.js yourself (it is included) to verify there are no unwanted network endpoints or behaviors.

Like a lobster shell, security has layers — review code before you run it.

latestvk9727va84ngv2mb765tj1pcb6580ssqs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📜 Clawdis
Binshackmd-cli
EnvHMD_API_ACCESS_TOKEN
Primary envHMD_API_ACCESS_TOKEN

Comments