Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Markdown to PDF Converter (v2.0)
v2.0.0Offline Markdown to PDF converter with full Unicode support using Pandoc + WeasyPrint + local emoji cache. Converts Markdown documents to professional PDFs w...
⭐ 2· 910·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the contents: scripts and instructions implement Pandoc + WeasyPrint conversion, local Twemoji download, and a mapping generator. Declared dependencies (Pandoc, WeasyPrint, Python, wget) are appropriate for the stated goal.
Instruction Scope
Runtime instructions stay within the converter's scope (download Twemoji to ~/.cache/md2pdf, generate emoji mapping, run Pandoc + Lua filter, render with WeasyPrint). They do not attempt to read unrelated system files or exfiltrate data. However md2pdf-local.sh calls the Python mapping script via a hard-coded absolute path (/home/ltx/.openclaw/workspace/skills/md2pdf-converter/scripts/generate_emoji_mapping.py) instead of a relative or $SCRIPT_DIR-based path — this is an inconsistency that will likely break on other systems and suggests packaging/authoring oversight.
Install Mechanism
No install spec is provided (instruction-only), so nothing is silently downloaded during installation. The script does download a Twemoji tarball from an official GitHub URL at first run — this is expected and the source is legitimate. No obscure or shortener URLs are used.
Credentials
The skill requests no environment variables or credentials. Files are written to ~/.cache/md2pdf and temporary directories only, which is proportionate to an offline caching converter. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no elevated persistence. It will create a local cache directory (~/.cache/md2pdf) and write files there, which is expected for its purpose.
What to consider before installing
This skill appears to do what it claims (offline Markdown→PDF with Twemoji) and does not request credentials, but review the scripts before running them. Key points to consider:
- The main script downloads ~150MB from GitHub and writes to ~/.cache/md2pdf; confirm you are OK with that download and storage location.
- There is a hard-coded absolute path in md2pdf-local.sh that calls the Python script at /home/ltx/.openclaw/…; on your machine this will likely fail or point to an unexpected location. Edit the script to call the bundled script via a relative path (e.g., use the script's directory or $PWD) before running.
- Inspect the scripts for any unwanted commands (they run wget, tar, mv, rm -rf on the cache dir and invoke pandoc/weasyprint). Run them in a sandbox/container or review the code if you have sensitive files or restrictive policies.
- Ensure required tools (pandoc, weasyprint, python3, wget) and fonts are installed; run font installation steps only if you trust them.
If you want to proceed, either fix the absolute path in md2pdf-local.sh to a relative path or run the generate_emoji_mapping.py manually from the skill folder so the mapping is created with the expected ~/.cache/md2pdf/emojis content. If you need higher assurance, run the first run inside an isolated environment (container or VM).Like a lobster shell, security has layers — review code before you run it.
chinesevk9791atyetp7w3xsspk7egfdv5816fddemojivk9791atyetp7w3xsspk7egfdv5816fddlatestvk9791atyetp7w3xsspk7egfdv5816fddmarkdownvk9791atyetp7w3xsspk7egfdv5816fddofflinevk9791atyetp7w3xsspk7egfdv5816fddpandocvk9791atyetp7w3xsspk7egfdv5816fddpdfvk9791atyetp7w3xsspk7egfdv5816fddweasyprintvk9791atyetp7w3xsspk7egfdv5816fdd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.