Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
News To Markdown Skill
v2.3.28一键将新闻文章转换为 Markdown,支持双引擎内容提取、智能封面图选择、图片下载到本地、三层 HTML 抓取策略和多平台专项优化。新增10个平台支持:头条、微信公众号、掘金、简书、CSDN、人人都是产品经理、开源中国、B站专栏、SegmentFault、博客园
⭐ 0· 397·1 current·1 all-time
byPING SI@sipingme
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (news → Markdown, platform-specific adapters, image download, three-step fetch) align with the instructions and declared dependency on the 'news-to-markdown' library. However, SKILL.md and package.json list a CLI entry (bin/convert-url) and include 'bin' in files, but the provided file manifest does not contain the bin/convert-url file — this is an internal inconsistency that could break expected behavior or indicate an incomplete package.
Instruction Scope
SKILL.md instructs the agent to fetch web pages (curl/wget/Playwright), extract content, and optionally download images to local disk. Those actions are within the stated scope. The instructions do explicitly require network access and file writes (image download/output-dir), and they recommend running 'npx playwright install chromium' which implies downloading a browser binary — all consistent with scraping tasks but important operational considerations.
Install Mechanism
There is no install specification in the registry bundle (instruction-only). SKILL.md states requirements (node >=18 and npm: news-to-markdown@^1.4.27) but the package bundle lacks an install step and is missing the claimed bin entry. That means the runtime may not actually have the CLI available unless the platform separately installs the npm dependency. Playwright installation is left to the user (npx playwright install chromium), which will download a large browser binary — not dangerous by itself but a deployment/operation surprise.
Credentials
The skill requests no environment variables, credentials, or configuration paths. All declared requirements (node/npm and optional curl/wget/Playwright) are proportional to web-scraping and conversion tasks. There are no unexplained SECRET/TOKEN env var requests.
Persistence & Privilege
Flags show default behavior (always: false, agent invocation allowed). The skill does not request permanent system-wide privileges or modifications to other skills. Its file operations are limited to writing outputs and downloaded images (as described).
What to consider before installing
This skill appears to do what it says (fetch pages, extract article content, convert to Markdown), but the bundle is inconsistent: the README/SKILL.md and package.json reference a CLI (bin/convert-url) while the provided file list does not include that bin. Before installing or granting runtime access, consider: 1) Verify or install the npm package 'news-to-markdown@^1.4.27' yourself (the skill expects it). 2) Test in a sandbox: ensure the 'convert-url' CLI actually exists and behaves as documented. 3) Be aware that downloading images writes files to disk and that 'npx playwright install chromium' will download large browser binaries. 4) Respect copyright and site terms: do not use the skill against paywalled or explicitly protected content. 5) If you need stronger assurance, inspect the upstream 'news-to-markdown' package source (the SKILL.md points to a GitHub repo) and confirm the bin/CLI implementation and any network callbacks it may make. The missing CLI file and absent install spec are implementation issues (likely sloppy packaging) — they don't prove malicious intent, but they justify caution.Like a lobster shell, security has layers — review code before you run it.
latestvk9722699dd4jvd47sv7k9d6j858494rw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.