ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Md Web

Publish markdown files as shareable web pages and return a clickable link.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 31 · 0 current installs · 0 all-time installs
by@rockbenben
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (publish .md to public web pages) lines up with what is included: Node script (upload.js) and Docsify assets. The only runtime binary required is node, which is appropriate.
Instruction Scope
SKILL.md explicitly instructs the agent to prompt the user for S3 credentials, write a local {SKILL_DIR}/config.json, upload raw .md and deploy bundled Docsify files to the user's bucket, and not to auto-trigger uploads. These actions are within the stated purpose but do involve handling secrets and writing files to disk — the user must consent before any upload.
Install Mechanism
No install spec; code is shipped with the skill and executed by node (upload.js). There are no remote downloads or third-party install steps in the manifest, which keeps installation risk low.
Credentials
The skill asks the user to provide access_key and secret_key (and endpoint/bucket/public_url) — these are the exact credentials needed for S3-compatible uploads, so the request is proportionate. The SKILL.md also optionally requests Admin Read & Write permission for lifecycle rule creation; that elevated permission is optional and should be granted only if the user wants automatic expiry behavior.
Persistence & Privilege
always: false and user-invocable: true. The skill stores credentials in a local config.json (documented and gitignored) for subsequent runs — that is normal for this use case and does not modify other skills or system-wide settings.
Assessment
This skill appears to be what it says: it will upload .md files to an S3-compatible bucket you configure and return a public URL. Before using it: (1) review the upload.js script yourself (it's executed locally) to confirm no unexpected network endpoints or telemetry exist; (2) use a token scoped to the single bucket (or the narrowest permissions possible) rather than full account keys when possible; (3) prefer a bucket-specific token or temporary/rotating credentials and consider restricting the token to object write/read; (4) remember all uploaded documents become publicly accessible via the generated URL — do not upload secrets or private data; (5) if you do not want automatic lifecycle rules created, set expire_days to 0 or create lifecycle rules manually in your provider's console and avoid granting Admin Read & Write; (6) test with a disposable bucket first. If you want a deeper check, paste the full upload.js source here so I can review it line-by-line for hidden endpoints or unexpected behavior.
docsify-server/assets/docsify.min.js:1
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk972bysyxqkb1hye6b9gzzcnyd830xvd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Binsnode

SKILL.md

MD Web - Markdown to Web Page

Upload raw .md files to an S3-compatible storage bucket, where a pre-deployed Docsify server automatically renders them as web pages. This avoids sending long text in the conversation.

When to use this skill

Uploaded content is publicly accessible. Only use this skill when the user explicitly requests it:

  • User asks to "show as web page", "share as a link", "preview in browser", or similar
  • User asks to "generate a file" for sharing
  • User invokes this skill by name (e.g., /md-web)

Never auto-trigger. Do not upload content just because it is long. If you think the user might benefit from a web page, suggest it — but wait for confirmation before uploading.

How to use this skill

Step 1: Check configuration

Check if {SKILL_DIR}/config.json exists. If it does NOT exist or has empty fields, follow the Configuration section below first.

Step 2: Prepare the markdown file

Either use an existing .md file, or write the content to a temporary file. Choose the temp path based on the current platform (e.g., /tmp/ on Linux/macOS, system temp dir on Windows). Use whichever path works in the current shell environment.

Step 3: Upload via upload.js

node {SKILL_DIR}/upload.js <local-file> <remote-key>
  • {SKILL_DIR}: the base directory of this skill (shown at the top when skill is loaded)
  • <remote-key>: a descriptive lowercase name with hyphens (e.g., api-docs.md, project-guide.md). A timestamp is prepended automatically to avoid filename collisions.
  • On first run, the script auto-detects and deploys Docsify server files. No manual setup needed.

Step 4: Return the result

  • On success: the script prints the URL. Reply with only the filename and clickable link. Do NOT paste the markdown content into the chat.
  • On failure (non-zero exit code): report the error to the user, then fall back to sending the markdown content as text directly in the chat.

Example success output:

api-docs - https://example.r2.dev/index.html#/20260305-091500-api-docs

Configuration

This only needs to happen once. On subsequent runs, config.json already exists.

  1. Tell the user this skill needs an S3-compatible storage bucket with public access. Point them to {SKILL_DIR}/README.md for detailed setup instructions (Cloudflare R2 / AWS S3 / other S3-compatible services).
  2. Ask the user to provide these 5 required fields:
    • access_key: API access key ID
    • secret_key: API secret access key
    • endpoint: S3 endpoint hostname, without https:// (e.g., ACCOUNT_ID.r2.cloudflarestorage.com)
    • bucket: bucket name
    • public_url: public access URL. If the user has a custom domain bound to the bucket, use that (e.g., https://docs.example.com); otherwise use the default R2.dev URL (e.g., https://pub-XXXX.r2.dev). Recommend custom domain for production use — R2.dev URLs have rate limits.
  3. Ask about optional settings:
    • region: S3 region. Use auto for Cloudflare R2, or the actual region for AWS S3 (e.g., us-east-1). Default is auto.
    • expire_days: how many days before uploaded markdown files are automatically deleted from the bucket. Default is 30. Set to 0 to keep files forever. The script sets an S3 lifecycle rule automatically — only timestamped uploads are affected; Docsify server files are never expired. Note: this requires the API token to have Admin Read & Write permission (not just Object Read & Write). If the token lacks permission, the script will warn but still upload normally — the user can set the lifecycle rule manually in the Cloudflare Dashboard instead.
  4. Write the config to {SKILL_DIR}/config.json:
{
  "access_key": "...",
  "secret_key": "...",
  "endpoint": "...",
  "bucket": "...",
  "region": "auto",
  "public_url": "...",
  "expire_days": 30
}
  1. Then proceed with the upload.

Important notes

  • Do NOT generate HTML. Just upload the raw .md file — Docsify handles rendering.
  • Do NOT send long markdown content to the chat unless upload fails.
  • upload.js uses only Node.js built-in modules (zero dependencies).
  • All Docsify assets (JS/CSS) are bundled locally — no external CDN dependency at runtime.

External endpoints

This skill connects only to the S3 endpoint configured by the user in config.json. No data is sent to the skill author or any third-party service.

EndpointPurposeData sent
User's S3 endpoint (config.json → endpoint)Upload .md files and Docsify server assetsFile content, S3 auth headers

Security & privacy

  • All uploaded content is publicly accessible via the generated URL.
  • Credentials (access_key, secret_key) are stored locally in config.json (gitignored) and only sent to the user's own S3 endpoint for authentication.
  • No telemetry, analytics, or data collection by the skill itself.
  • upload.js uses only Node.js built-in modules — no third-party dependencies.

By using this skill, markdown content is uploaded to your own S3-compatible storage bucket and made publicly accessible. No data is sent to the skill author or any third-party service. Only install if you trust the storage provider you configure.

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…