Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Math Notes KaTeX
v0.1.3Render math-heavy notes to PNG using KaTeX (LaTeX) + headless Brave. Use when the user asks for a clean “solution/конспект as an image”, “formulas as a pictu...
⭐ 0· 115·0 current·0 all-time
byilysha@rokokol
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the code: the JS and shell scripts implement KaTeX -> HTML -> headless Brave screenshot flows. However the skill declares no required binaries or env vars while its runtime clearly needs node, the 'katex' node package, and a Chromium-family browser (Brave). That omission is an incoherence: someone building this feature would reasonably need to declare these dependencies or provide an install step.
Instruction Scope
Runtime instructions (SKILL.md and scripts) stay on-topic: they read a local markdown file, split/render it, build local HTML, and invoke a headless browser to produce PNGs. There are no instructions to read unrelated system files or to send data to external endpoints. The troubleshooting notes explicitly call out the headless flags needed to access local files.
Install Mechanism
No install specification is provided despite code that depends on Node modules (katex) and an external browser binary. There is no package.json or npm install guidance, so it's unclear how katex (and any other runtime modules) will be made available. This is a practical and security concern: missing install instructions may lead users to run ad-hoc installs or run the code in an unexpected environment.
Credentials
The skill requests no environment variables or credentials. That is proportionate for the stated purpose. Note: runtime access to the filesystem (reading input file, writing out/ directories) is required and expected for rendering; no credentials are requested.
Persistence & Privilege
The skill does not request elevated or persistent privileges and 'always' is false. It does invoke an external browser (headless Brave) which will be run when the script is executed — this is expected for the task and not flagged by itself.
What to consider before installing
This skill seems to do what it claims (turn LaTeX-like notes into PNGs) but it's incomplete in practice. Before installing or running it:
- Do not run blindly. Inspect the full render_note_png.js (the portion that launches Brave) to confirm it only screenshots local HTML and does not fetch or post to external URLs.
- The package has no install spec or package.json. You will need Node.js and the katex module available in the runtime, and an executable Brave/Chromium on PATH (or pass a full --brave path). Add/verify a package.json or run npm install katex in a controlled environment.
- Running headless Chromium as root may require flags (--no-sandbox --disable-setuid-sandbox); using those flags reduces sandboxing — avoid running the browser as root where possible. Prefer running inside an isolated container or dedicated VM if you are unsure.
- The scripts link KaTeX CSS via file:// to load fonts locally; ensure the katex package and fonts are present and that CSS does not include remote font URLs. If you must allow remote resources, be aware that could introduce network fetches.
If you want to proceed: run the scripts in an isolated environment (container or VM), add explicit dependency/install steps (npm install katex and any other modules), and verify the Brave invocation flags are reasonable for your security posture.scripts/render_note_png.js:379
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97bm8m11mbtmdat1p3g8xzm09840dsf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.