ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

html-to-pdf

v1.0.0

Convert an HTML file to a PDF using headless Chrome (Puppeteer) — the same approach atypica uses for its AI-generated research reports. Use this skill whenev...

0· 47·0 current·0 all-time
by@owenrao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (html-to-pdf via headless Chrome) match the provided files and instructions. The included script implements the stated functionality and there are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
Instructions and the script operate on local HTML files (read, patch, write temp file, produce PDF) as described. The script intentionally fetches external resources (Google Fonts, Tailwind CDN, remote images/CSS referenced by the HTML) when rendering; this means Chromium will perform outgoing network requests to those hosts. The script also launches Chromium with --no-sandbox (documented in SKILL.md), which is commonly necessary in containers but reduces sandboxing. These behaviors are expected for accurate rendering but are worth noting as they cause network traffic and reduce process isolation.
Install Mechanism
This is an instruction-only skill (no registry install). The recommended install is npm install (puppeteer) which will download many npm packages and a pinned Chromium binary (~170 MB). The packages come from the npm registry (package.json/package-lock.json present); there are no downloads from obscure personal servers in the provided files. Installing will write dependencies and a large browser binary to disk.
Credentials
No environment variables, credentials, or external config paths are required or requested. The script only uses local filesystem access to read input and write output (intended behavior).
Persistence & Privilege
The skill does not request persistent or elevated platform privileges, does not set always:true, and does not modify other skills or system-wide agent settings. It writes a short-lived temporary file next to the input HTML and deletes it on exit.
Assessment
This skill appears to do what it says. Before running: (1) Be aware npm install puppeteer will download many packages and a ~170 MB Chromium binary; ensure you have bandwidth/disk space. (2) Rendering may cause Chromium to fetch external assets (Google Fonts, CDNs, remote images referenced in the HTML) — if the HTML contains URLs to private services, those hosts will see requests (possible data leakage). (3) The script runs Chromium with --no-sandbox (often required in CI/Docker); for untrusted HTML run it in an isolated container or VM. (4) Requires Node ≥18; review the HTML you convert if it contains sensitive data or external references.

Like a lobster shell, security has layers — review code before you run it.

latestvk974q8bt9xzdzy3h83npsxt2g583jf92

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments