ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jinx

v1.0.0

报告输出自动转PDF。当向用户发送Markdown报告文件时,自动转换为PDF后再发送,确保微信和飞书用户可以直接查看。

0· 104·0 current·0 all-time
by@jingxxxxx

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jingxxxxx/wxmd2df.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "jinx" (jingxxxxx/wxmd2df) from ClawHub.
Skill page: https://clawhub.ai/jingxxxxx/wxmd2df
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wxmd2df

ClawHub CLI

Package manager switcher

npx clawhub@latest install wxmd2df
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (auto-convert .md to .pdf for WeChat/Feishu) matches the SKILL.md instructions. However, the skill metadata says no required binaries/env, while the instructions assume a Node/npm environment (npx) and even adjusts PATH to include Homebrew. The need for npx/node should be declared.
Instruction Scope
Instructions stay within the stated task (generate PDF from a specific .md and send it). They do not request secrets or unrelated files. But they explicitly run a shell command that downloads and executes an npm package at runtime (npx -y md-to-pdf@latest) and modify PATH to include $HOME/.homebrew/bin — actions that extend beyond simple file conversion and require careful review/controls.
!
Install Mechanism
There is no install spec, but the runtime uses npx -y to fetch and run md-to-pdf@latest from the npm registry. That dynamically executes third-party code (un-pinned latest) on the host each time — a supply-chain and arbitrary-code execution vector. The skill does not declare Node/npm as a requirement or pin the package version.
Credentials
The skill requests no credentials or sensitive environment variables. Its runtime needs (fonts for Chinese, Node/npx) are operational rather than secret-oriented.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system-wide settings beyond a temporary PATH prepended in the command.
What to consider before installing
This skill does what it says (convert Markdown to PDF for messaging channels) but it runs npx -y md-to-pdf@latest at runtime — meaning it will download and execute code from the npm registry without a pinned version. Before installing or enabling: 1) confirm the environment has Node/npm/npx and add them to the declared requirements; 2) prefer pinning the npm package to a specific trusted version or vendoring the conversion tool into a vetted install step; 3) require user approval before running the conversion for sensitive documents, or run the conversion in an isolated/containerized environment; 4) review the md-to-pdf package (owner, popularity, recent changes) to assess supply-chain risk. If you cannot accept on-demand execution of unpinned npm packages, do not enable this skill as-is.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📄 Clawdis
latestvk97a195dhy4rknrb1javkfg1jx83f4we
104downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@jingxxxxx
latest
Download

报告输出自动转 PDF

当向用户发送 Markdown 报告时,自动转换为 PDF 格式,确保在微信、飞书等平台可以直接查看。

适用场景

  • 通过飞书/微信向用户发送 .md 报告文件时
  • 用户明确要求发送 PDF 时
  • 渠道不支持 Markdown 渲染时(微信、飞书等)

执行规则

判断是否需要转 PDF

渠道是否转PDF
微信 (openclaw-weixin)✅ 总是转
飞书 (feishu)✅ 总是转
Discord❌ 可以直接发 md 文件
Telegram❌ Telegram 支持 Markdown 渲染

转换命令

export PATH="$HOME/.homebrew/bin:$PATH" && npx -y md-to-pdf@latest <输入文件.md> --pdf-options '{"format":"A4","margin":{"top":"20mm","bottom":"20mm","left":"15mm","right":"15mm"}}'

输出文件与输入文件同目录,扩展名 .pdf

发送流程

  1. 确认报告 .md 文件已生成
  2. 执行 md-to-pdf 转换
  3. 确认 .pdf 文件已生成(检查文件大小 > 0)
  4. 通过当前渠道发送 .pdf 文件
  5. 可选:同时发送一句简要说明(报告标题、核心结论)

失败处理

如果转换失败,降级为:

  1. 发送原始 .md 文件
  2. 告知用户"PDF转换失败,已发送原始文件"

注意事项

  • md-to-pdf 首次运行会自动安装,耗时约5-10秒
  • 中文内容需要系统有中文字体(macOS 默认有 PingFang SC)
  • 如果报告中有复杂的表格或代码块,PDF 排版可能不完美,必要时可手动调整
  • PDF 文件与 MD 文件放在同一目录,方便管理

Comments

Loading comments...