Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Html To Markdown
v0.1.0将 HTML 内容转换为 Markdown 格式,支持字符串、文件和 URL 转换
⭐ 0· 57·0 current·0 all-time
byPING SI@sipingme
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (HTML → Markdown) match the declared dependency on an npm package (@siping/html-to-markdown-node) and the CLI examples. The operations (string, file, URL conversion) align with what an HTML→Markdown converter would legitimately need.
Instruction Scope
Instructions are scoped to converting provided HTML, files, or fetching URLs and converting them. This necessarily uses network access (for convert-url) and filesystem access (convert-file), which is expected. Minor documentation mismatch: several examples reference bash scripts/convert.sh that are not present in the skill files — the skill expects the npm package to provide the html2md CLI or the user to install the repo scripts. The convert-url behavior (fetching arbitrary webpages) can expose fetched content to whatever runtime executes the CLI; this is expected but worth noting.
Install Mechanism
No install spec in the registry bundle (instruction-only). The SKILL.md recommends installing a public npm package from the npm registry (npmjs.com), which is a standard, low-risk install vector but does pull code from an external package. The instructions suggest global npm installation which modifies the system PATH — a normal choice but worth caution.
Credentials
The skill does not request environment variables, credentials, or config paths. It only requires Node/npm and the referenced npm package; this is proportional to the described functionality. Note: network and file system access are implied by the described operations (URL fetching and file conversion).
Persistence & Privilege
The skill is not marked always:true and does not request persistent elevated privileges or modify other skills. It is user-invocable and can be invoked autonomously (platform default), which is expected for a utility skill.
Assessment
This skill appears coherent and delegates conversion to a public npm package. Before installing, review the referenced npm package and GitHub repo (check recent activity, maintainer, and source code) to ensure it is trustworthy. Prefer a local or containerized install rather than global (-g) if you want to limit system-wide changes. Be cautious when using convert-url with private or authenticated pages (the runtime will fetch those pages and could expose their content); avoid passing sensitive URLs or credentials to this tool. Note the docs reference scripts/convert.sh that are not included in the package bundle—verify which CLI (html2md) will actually be installed and test in a safe environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk971fm0ngkwfpyqv8p7qt1r8vs83d51e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.