ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web to PDF

v1.0.0

Convert a web page to PDF, especially web-based slide decks and presentations (reveal.js, impress.js, custom JS slideshows, scroll-based decks). Use when the...

0· 203·1 current·1 all-time
by@pearyj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for pearyj/webpage-to-pdf.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Web to PDF" (pearyj/webpage-to-pdf) from ClawHub.
Skill page: https://clawhub.ai/pearyj/webpage-to-pdf
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install webpage-to-pdf

ClawHub CLI

Package manager switcher

npx clawhub@latest install webpage-to-pdf
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the provided code and SKILL.md. The Playwright-based capture script + Python (Pillow) assembly is appropriate for converting web slides/pages into multi-page PDFs. Required dependencies (playwright, chromium, Pillow) are coherent with the stated task.
Instruction Scope
Runtime instructions are narrowly scoped to fetching a user-provided URL, taking screenshots, and assembling them into a PDF. They do require installing npm packages and Pillow. The agent will load arbitrary URLs (expected) — which can expose the runner to remote content, potentially including pages that attempt to fingerprint or exploit the runtime. The script writes and executes a temporary Python script and runs a shell command to invoke it (see security note below).
Install Mechanism
There is no packaged install spec; SKILL.md instructs running `npm install` and `npx playwright install chromium` and `pip install Pillow`. Pulling Playwright and Chromium from npm is normal for this task but will download large binaries and third-party packages from public registries. This is expected but you should be aware these installers run code from upstream registries.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportional: converting pages to PDF does not require secrets or external credentials.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not modify other skills or system-wide configs. Its persistence and privileges are minimal.
Scan Findings in Context
[child_process_execSync] expected: The script uses child_process.execSync to invoke python3 with a constructed shell command to run a temporary assembly script. Running an external interpreter is reasonable for PNG→PDF assembly, but invoking via a single shell string introduces potential shell-injection risks if any argument is attacker-controlled. In this code the PNG list is passed inside single quotes (safer) but the output path is embedded in double quotes (command substitution like $(...) would still be interpreted by the shell).
Assessment
This skill appears to do what it claims, but review and consider the following before installing: - Source trust: the package has no homepage and an opaque owner ID. If you don't trust the author, review the included scripts manually (you already have them) before running npm/pip installs. - Installer behavior: `npm install` (Playwright) will download code and Chromium binaries from external registries. Do this only on a machine you control; prefer an isolated environment (container/VM) if possible. - Untrusted URLs: the skill loads arbitrary URLs with a headless browser. Treat this like opening a webpage in a browser — it can run JS, fingerprint, or attempt attacks. Do not run it on systems with sensitive network access unless you sandbox it. - Command invocation risk: the script uses execSync with a composed shell command. If you or an automated agent supplies an output path that contains shell metacharacters (e.g., command substitution), that could be executed. Use safe, simple output filenames or run the script with a hardened wrapper (or patch the code to use spawn/spawnSync with argument arrays) to remove shell interpolation. - Operational prerequisites: Node.js (18+), Python3, and Pillow must be installed; Playwright will install Chromium. Ensure you have disk space and network access for these downloads. If you plan to use this skill frequently, consider auditing/patching the execSync call to use a safe spawn variant, and run the skill in a sandboxed environment (container or dedicated VM). If you are unsure about the author given the missing homepage/metadata, prefer to run only the reviewed code locally rather than allowing automatic installs in a shared environment.
scripts/capture.mjs:289
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975zh110fzx72j4zsy95092dn836vgqpdfvk975zh110fzx72j4zsy95092dn836vgqplaywrightvk975zh110fzx72j4zsy95092dn836vgqpresentationvk975zh110fzx72j4zsy95092dn836vgqslidesvk975zh110fzx72j4zsy95092dn836vgqwebvk975zh110fzx72j4zsy95092dn836vgq
203downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@pearyj
latestpdfplaywrightpresentationslidesweb
Download

Web to PDF

Capture any web page — especially slide-based presentations — as a multi-page PDF using a headless browser.

How it works

A bundled Playwright script screenshots each slide (or the full page) as PNG, then assembles them into a PDF via Pillow. It auto-detects the navigation model:

ModelDetectionExamples
reveal.js.reveal element + Reveal JS APIreveal.js decks
Vertical scrollPage height > 1.5× viewport, multiple slide elementsCustom JS slide decks with stacked sections
KeyboardMultiple slide elements, not scrollableimpress.js, deck.js, arrow-key decks
Single pageNo slide structure detectedRegular web pages, articles

Prerequisites

The script bundles its own package.json. On first use (or if node_modules is missing), install dependencies:

cd ${CLAUDE_SKILL_DIR}/scripts && npm install && npx playwright install chromium

Pillow (Python) is also required for PNG-to-PDF assembly:

pip install Pillow

Usage

Run the capture script:

node ${CLAUDE_SKILL_DIR}/scripts/capture.mjs <url> <output.pdf> [options]

Options

FlagDefaultDescription
--width N1920Viewport width in pixels
--height N1080Viewport height in pixels
--wait N1000Milliseconds to wait per slide for animations
--max-slides N50Safety cap on number of slides

Examples

# Presentation deck at 1080p
node ${CLAUDE_SKILL_DIR}/scripts/capture.mjs https://example.com/pitch output.pdf

# Narrow viewport for mobile-style capture
node ${CLAUDE_SKILL_DIR}/scripts/capture.mjs https://example.com/page doc.pdf --width 1280 --height 720

# Slow animations, give extra time
node ${CLAUDE_SKILL_DIR}/scripts/capture.mjs https://example.com/deck slides.pdf --wait 2000

Workflow

  1. Check that playwright and Pillow are installed; install if missing
  2. Run the capture script with the user's URL and desired output path
  3. Verify the output — check page count and spot-check a few pages by reading the PDF or individual screenshots
  4. Report the result to the user (page count, file size, output path)

Troubleshooting

  • Slides all identical: The navigation detection may have picked the wrong model. Try adding --wait 2000 for slower transitions, or check if the site requires interaction (cookie banners, login) before slides are accessible.
  • Missing content / animations not rendered: Increase --wait to give JS more time to render.
  • Blank pages: Some sites lazy-load content; the scroll-based capture handles this by scrolling to each slide. If keyboard navigation produces blanks, the site may actually be scroll-based.
  • Too few / too many pages: Check --max-slides and verify the slide selector detected is correct by inspecting the script's console output.

Comments

Loading comments...