ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Joe's Markdown to DOCX Converter

v1.0.0

Convert Markdown files to fully formatted Word DOCX documents with support for tables, images, code blocks, and GitHub Flavored Markdown features.

0· 232·1 current·1 all-time
byzupeng@joecao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description (Markdown to DOCX) matches the included code (scripts/convert.js) and declared dependencies (docx, remark, node-fetch). The code reads a .md file, parses Markdown, handles tables, images, code blocks, and writes a .docx — consistent with the stated purpose.
Instruction Scope
SKILL.md instructs running npm install and node scripts/convert.js which matches the code. The converter will fetch remote images (HTTP/HTTPS) and will read local files relative to the input Markdown — expected for image support. Minor caution: fetching arbitrary image URLs means the runtime will make outbound HTTP requests for any remote URLs found in Markdown (possible SSRF/probing risk if untrusted Markdown references internal endpoints).
Install Mechanism
There is no registry install spec (instruction-only skill), but it includes source and instructs running npm install which will pull packages from npm. That is normal but means dependencies will be installed at runtime; review/verify dependencies before installing. Minor mismatch: package.json 'main' points to main.js while actual script is scripts/convert.js — harmless but an inconsistency.
Credentials
The skill requests no environment variables, no credentials, and no config paths — appropriate for a local file conversion utility.
Persistence & Privilege
Skill is not marked 'always:true' and does not request elevated or persistent platform privileges. It operates as a user-invoked CLI script and writes only the output .docx file to disk.
Assessment
This skill appears to do what it claims, but take these precautions before installing or running it: - Audit dependencies (package.json / package-lock.json) before npm install to ensure you trust the packages and registry mirror. npm install will fetch code into your environment. - Run the tool in a sandboxed environment if you will convert Markdown from untrusted sources. The converter will perform HTTP requests for remote image URLs found in the Markdown; this can be used to probe internal services (SSRF) or trigger network requests you may not expect. - If using sensitive environments (cloud VMs, CI runners), avoid converting untrusted Markdown or block outbound requests during conversion. - Note the small metadata inconsistency (package.json main references main.js while the converter is scripts/convert.js); this doesn't affect running the script directly but is worth fixing. If you are comfortable auditing dependencies and controlling network access for untrusted inputs, this skill is coherent with its stated purpose.
!
scripts/convert.js:283
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

convertervk972davhjjb4nmh65wjwg09wkn83e4x7documentvk972davhjjb4nmh65wjwg09wkn83e4x7docxvk972davhjjb4nmh65wjwg09wkn83e4x7joevk972davhjjb4nmh65wjwg09wkn83e4x7latestvk972davhjjb4nmh65wjwg09wkn83e4x7markdownvk972davhjjb4nmh65wjwg09wkn83e4x7wordvk972davhjjb4nmh65wjwg09wkn83e4x7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments