Skillv1.0.0

ClawScan security

Markdown → 图片卡片 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:10 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match its stated purpose (convert Markdown to image cards) but there are several incoherent or risky points — notably missing install instructions for heavy dependencies, automatic execution guidance that skips user confirmation, and filesystem/network actions (including deleting/creating output dirs and downloading remote images).
Guidance: Before installing or enabling this skill, consider the following: (1) The skill includes substantial code and native/browser dependencies (puppeteer/playwright) but the registry entry has no install spec — expect to run npm install and to download a browser or require a local Chrome; verify installation steps and run in a sandbox. (2) The SKILL.md instructs the agent to "not ask" and to run automatically: be cautious because generation will perform network requests (download fonts, remote images, YouTube thumbnail lookups, calls to noembed/ytimg) and create/remove files under your home/Downloads and a .temp-images folder. (3) The generator forcibly removes the output directory before writing (fs.rm(..., { force:true })); avoid passing an output path that could point to important data, or modify the code to remove that destructive step. (4) If you require stricter control, request or add an explicit prompt/confirmation step before execution, run the tool locally first to inspect behavior, or run inside an isolated environment (container or VM) with network/file system restrictions. (5) If anything is unclear (install steps, exact network endpoints, or the behavior of the auto-execution rule), ask the author to provide an install spec and to remove the "do not ask" mandate so the agent prompts the user before destructive or network actions.

Review Dimensions

Purpose & Capability: okThe code (Node + JS generator using Puppeteer, a Markdown parser, templates, plus Python helpers) implements Markdown→image functionality described by the name/description: parsing Markdown, downloading remote images, rendering via headless browser, paginating, and producing PNGs. Dependencies like puppeteer/mermaid/marked are consistent with the task.
Instruction Scope: concernSKILL.md instructs the agent to read the full Markdown file and "不要询问用户任何参数。直接执行." (do not ask the user any parameters — execute directly). The runtime behavior includes network IO (downloading fonts, remote images, YouTube thumbnail lookup via noembed and ytimg), writing files to ~/Downloads/<name>/, creating a .temp-images cache, and removing the output directory before generation. Those operations are within the domain of generating images but have side effects (network access, file deletion/writing) that the skill explicitly says to perform without asking the user, increasing risk and scope creep.
Install Mechanism: concernRegistry metadata claimed no install spec / instruction-only, but the package includes package.json, package-lock.json and heavy native deps (puppeteer, mermaid) and Python scripts requiring playwright/requests. There is no install step declared in the registry item; installing requires npm install and possibly playwright/Chromium or relies on a local Chrome binary. The mismatch (no declared install but substantial dependencies and browser binaries) is an incoherence and raises risk (large downloads, native browser dependencies).
Credentials: noteThe skill does not request environment variables or credentials (good). It does use process.env.HOME to construct ~/Downloads/<name>/ and reads arbitrary Markdown file paths. It downloads remote assets and calls external endpoints (e.g., noembed, i.ytimg.com, Google Fonts). It also deletes the output directory (fs.rm(..., force:true)) before writing, which is proportionate to a generation flow but could be surprising/dangerous if paths are manipulated or unexpected.
Persistence & Privilege: noteThe skill is not always:true and does not request elevated platform privileges. However, the SKILL.md's instruction to "directly execute" without asking (and the CLI's default behavior of writing/removing files and performing network requests) means that if the agent invokes this skill autonomously it will perform those side effects without further confirmation. That combination increases blast radius but is not itself a requested platform privilege.