ClawHub

mdstr

PassAudited by ClawScan on May 16, 2026.

Overview

This is a coherent markdown-to-JSON-string helper, but users should review the external npm package and optional OpenAI API examples before running them.

This skill appears benign for converting markdown into a JSON-safe string. Before using it, confirm that the npm package named mdstr is the one you intend to run, and only use the OpenAI/curl examples with files and API keys you are comfortable sending to that provider.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing or running the npm package executes code from outside the reviewed skill artifact.

Why it was flagged

The skill instructs users to download or execute an npm package that is not included in the reviewed artifacts. This is purpose-aligned for a CLI tool, but users must trust the external package source.

Skill content
npm install -g mdstr

# Or use npx for one-off conversions
npx mdstr <file>
Recommendation

Verify the npm package identity and publisher before installing globally or running with npx.

Low
#ASI03: Identity and Privilege Abuse
What this means

If the OpenAI example is used, API calls will be made under the user's OpenAI account and may incur costs or expose prompt content to that provider.

Why it was flagged

An optional workflow shows using an OpenAI API key. This is not required for the core conversion function, but it is sensitive account authority if the example is run.

Skill content
-H "Authorization: Bearer $OPENAI_API_KEY"
Recommendation

Use the API example only with the intended account and key, and avoid sending secrets or private markdown unless that is acceptable.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Running that example sends the selected markdown-derived prompt content to an external provider.

Why it was flagged

The documentation includes a user-directed example that converts a local markdown prompt and sends it to the OpenAI chat completions API.

Skill content
SYSTEM_PROMPT=$(mdstr system-prompt.md)
curl -s https://api.openai.com/v1/chat/completions
Recommendation

Review the markdown content and destination API before running provider examples, especially for private prompts or documentation.