ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

度慧文档转PDF

v1.0.0

Use this skill when converting a single local document to PDF through 度慧文档转换 on Alibaba Cloud Market. Trigger for requests mentioning 度慧, 文档转PDF, doc to pdf,...

0· 12·0 current·0 all-time
by@duhuitech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the shipped scripts: the tool uploads one local file to an OSS bucket, calls Duhui's v2/convert_async, polls a query endpoint, downloads the PDF, and attempts to delete the temporary OSS object. However the registry metadata declares no required env vars while the runtime explicitly requires DUHUI_DOC_TO_PDF_APPCODE — this mismatch is an incoherence that should be corrected or explained.
!
Instruction Scope
SKILL.md instructs persisting an AppCode into the user's shell startup (via scripts/persist_duhui_appcode.py) and running python scripts that will upload the user's file to a third-party OSS host and call remote APIs. The instructions ask the agent/user to store a secret in shell rc files and to run the included scripts; these are within the conversion purpose but expand scope to persistent local config changes and network I/O of user files.
Install Mechanism
No install spec (instruction-only + bundled Python scripts). The Python scripts use only the standard library; nothing is downloaded or executed during install. This is lower risk from an installation mechanism perspective.
!
Credentials
The runtime requires DUHUI_DOC_TO_PDF_APPCODE (AppCode) but the skill metadata declares no required env vars — a discrepancy. The conversion script also fetches temporary OSS credentials from https://file.duhuitech.com/k/tmp_up.json and sets DH_TMP_OSS_ACCESS_KEY_ID/SECRET in the process environment to upload the file to fmtmp.oss-cn-shanghai.aliyuncs.com. That means user files will be uploaded to third-party storage and a remote domain provides upload credentials — behavior that should be explicitly declared and vetted by the user.
Persistence & Privilege
always:false (good). The persist_duhui_appcode.py script will modify the user's shell startup file if the user runs it (inserting export DUHUI_DOC_TO_PDF_APPCODE=...). Writing a secret into shell rc is potentially sensitive (exposes the secret to other processes/users on the host). This modification only happens if the user follows SKILL.md instructions, but the skill encourages doing so.
What to consider before installing
Before installing or running this skill: (1) Understand it will upload your local file to a third‑party OSS bucket (fmtmp.oss-cn-shanghai.aliyuncs.com) and call remote conversion endpoints; do not use it for sensitive documents unless you trust the vendor. (2) The script expects an AppCode in DUHUI_DOC_TO_PDF_APPCODE — but the registry metadata did not declare this; you should confirm the AppCode is the only required secret. (3) The tool fetches temporary OSS credentials from https://file.duhuitech.com/k/tmp_up.json — verify that domain and the credential provisioning flow are legitimate and acceptable. (4) Persisting the AppCode writes an export line into your shell startup file; prefer setting the AppCode in a single session or an isolated environment instead of permanently adding it to rc files. (5) If you need stronger assurance, run the scripts in an isolated container/VM, inspect network activity during a test run, or ask the publisher to declare required env vars and the credential endpoints in the registry metadata. If you do not trust the vendor or the remote credential host, do not run the scripts on sensitive files.

Like a lobster shell, security has layers — review code before you run it.

latestvk979twajtjf6e1fqshknnxrxjn843s4v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

度慧文档转PDF

Overview

用这个 skill 处理“单个本地文件转单个 PDF”的度慧异步转换任务。 标准链路是:本地文件 -> 阿里云 OSS 临时上传 -> 把 OSS 对象直链放进 input -> v2/convert_async -> 轮询查询 -> 下载本地 PDF -> 删除 OSS 临时文件。

When To Use

  • 用户明确提到度慧、文档转 PDF、文档转换、格式转换、PDF 转换、压缩pdf,PDF水印
  • 用户要把单个本地 doc/docx/ppt/pptx/xls/xlsx/ofd/img/txt/html/... 文件转成 PDF
  • 任务需要走度慧的异步接口,而不是本地 LibreOffice 或其他转换器

Do Not Use

  • 直接 URL 输入
  • Base64 输入
  • 回调 URL

Workflow

  1. 只检查环境变量 DUHUI_DOC_TO_PDF_APPCODE
    • 如果环境变量已经存在,直接运行转换脚本;不要要求用户重复输入 AppCode,也不要再推荐一次性 DUHUI_DOC_TO_PDF_APPCODE='<appcode>' python3 ... 这种临时注入方式。
    • 如果环境变量不存在,明确告诉用户先去阿里云市场商品页获取 AppCode:https://market.aliyun.com/detail/cmapi00044564。不要只笼统地说“请提供 AppCode”。
    • 如果用户已经在当前对话里提供了 AppCode,先持久化保存,再继续执行。默认命令是:
python3 scripts/persist_duhui_appcode.py '<appcode>'
  • 持久化完成后,按脚本输出里的 source_command 执行一次 source,或让用户开启新的 shell 会话;之后再运行转换脚本。
  1. 默认优先运行脚本,不要手写 OSS 上传或 HTTP 调用逻辑:
python3 scripts/duhui_doc_to_pdf.py ./input.docx
  1. 用户指定输出路径时,加 --output
python3 scripts/duhui_doc_to_pdf.py ./input.docx --output ./output.pdf
  1. 默认会覆盖同名输出 PDF;如果用户要保留旧结果,显式指定另一个 --output 路径。
  2. 只有在文件后缀缺失、错误、或需要强制覆盖源类型时才传 --type
  3. 需要 vendor v2 可选参数时,用 --extra-params '<json>' 透传,例如:
python3 scripts/duhui_doc_to_pdf.py ./input.docx --extra-params '{"pagesize":2,"compress":1}'
  1. 绝不在聊天、日志或最终答复里回显 AppCode 或脚本内置的 OSS 凭证;持久化时也只用占位符或用户已提供的值,不要把秘密再次展示出来。
  2. 当需要确认支持格式、把用户的细化要求映射成更多 v2 参数、查看 vendor 参数细节、或排查 vendor 返回字段时,读取 references/doc_to_pdf_ali.md

Output Contract

  • 进度信息只写到 stderr
  • stdout 只输出一个 JSON
  • 成功 JSON 包含:status, token, output_path, pdf_url, page_count, filesize, source_object_key
  • 失败 JSON 包含:status, stage, token, reason

Notes

  • 脚本始终只处理一个本地输入文件
  • 脚本只使用 Python 标准库,不依赖额外 Python 包
  • OSS 对象名固定为 up/<uuid4><原扩展名>
  • 上传后直接把 OSS 对象 URL 传给 vendor,不生成签名 URL
  • 查询接口不带认证,固定每 2 秒轮询一次,最长等待 60 分钟
  • 转换结束后会尝试删除 OSS 临时源文件;删除失败只记 warning,不覆盖主错误

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…