cf markdown agents
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward web-fetching helper for requesting Markdown-formatted pages, with minor caveats around arbitrary URL fetching and an undeclared curl dependency.
This skill appears safe for its stated purpose. Before installing, note that it can fetch whatever URL the agent supplies and requires curl even though that dependency is not declared. Treat fetched web content as untrusted data, not as instructions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is pointed at an unintended private or internal URL, the fetched content could be brought into the conversation.
The helper sends a curl request to the caller-supplied URL and follows redirects. This is purpose-aligned for a web-fetching skill, but it is broad rather than limited to specific hosts or schemes.
URL="$1"
...
curl -sSL "$URL" \
-H "Accept: text/markdown, text/html;q=0.9"Use it only for intended web pages, preferably public http(s) URLs; maintainers could add URL scheme or host validation if they want tighter boundaries.
The skill may fail or behave differently on systems without curl, despite the metadata not declaring that dependency.
The included script depends on curl, while the registry metadata says there are no required binaries. This is an under-declared prerequisite rather than evidence of malicious behavior.
curl -sSL "$URL"
Declare curl as a required binary or document it clearly as a prerequisite.