Back to skill
Skillv1.0.0
ClawScan security
Markdown to HTML Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 6:34 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested resources and runtime instructions match its stated purpose (a single-file Markdown→HTML web app); nothing requested is disproportionate or unrelated.
- Guidance
- This skill appears coherent and low-risk for building a client-side Markdown→HTML single-file app. Before using or deploying, consider: (1) the CDN URLs: if you need stronger supply-chain guarantees, add Subresource Integrity (SRI) attributes or host the libraries locally; (2) review any theme CSS you add for licensing; and (3) because the app uses browser FileReader and generates downloads, verify it only processes user-provided files and does not inadvertently send content to external servers if you adapt the code. If you want stricter offline use, bundle dependencies instead of relying on CDNs.
Review Dimensions
- Purpose & Capability
- okThe name/description describe a Markdown→HTML single-file web app with themes, preview, and download; the SKILL.md contains only HTML/CSS/JS design and behaviors needed for that feature set. No unrelated credentials, binaries, or system access are requested.
- Instruction Scope
- okRuntime instructions focus on building UI modules, parsing Markdown (marked.js), theming, file-reading via browser FileReader, preview updating, and generating downloadable HTML. They do not instruct reading host system files, env vars, or sending arbitrary data to external endpoints beyond loading CDN assets — all consistent with a client-side web app.
- Install Mechanism
- noteNo install spec or code is present (instruction-only), which is low-risk. The design relies on third-party CDN resources (jsdelivr, highlightjs via GitHub CDN). Using CDN-hosted libs is reasonable here but introduces a supply-chain/trust consideration.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill does not request access to unrelated services or secrets.
- Persistence & Privilege
- okSkill flags are default (not always:true) and it does not request persistent or elevated agent privileges. As instruction-only, it does not modify other skills or system settings.