Back to skill

Security audit

Huo15 Markdown Export

Security checks across malware telemetry and agentic risk

Overview

This Markdown export skill is mostly coherent, but it needs review because it can broadly install itself across OpenClaw workspaces and can render, persist, or share document contents without tight containment.

Install only if you need Markdown publishing automation and are comfortable reviewing its broader agent and data effects. Run install-to-workspaces.sh with --dry-run before allowing it to change multiple workspaces, use --no-archive for sensitive documents, avoid rendering untrusted Markdown unless network access and raw HTML are acceptable, and require explicit confirmation before creating public links or sending files to chat channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The renderer injects a remote Mermaid ES module from jsDelivr into every generated HTML document when Mermaid is enabled. That introduces third-party code execution, network dependency, and privacy/supply-chain risk in what is otherwise presented as a local markdown rendering/export path; if the CDN content is unavailable, tampered with, or blocked, output behavior changes and untrusted code may run in the viewer's browser.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes exposing rendered artifacts through public URLs and sending them over enterprise chat, but it does not warn users to avoid sensitive or internal-only content. In a document-export/publishing skill, this omission materially increases the chance of accidental data disclosure because users may assume the sharing flow is safe by default.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The README states that publishing automatically archives content under ~/knowledge/huo15/, but does not clearly warn that source material and metadata will be copied into a persistent local knowledge base. This can lead to unintended retention of sensitive drafts, internal reports, or regulated content beyond the user's expectations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes very broad phrases like exporting PDF/Word, sharing links, previews, blogs, reports, and everyday publishing terms, which increases the chance this skill is invoked when the user did not specifically intend to use it. Because the skill can render files, create public links, and prepare outbound sharing flows, accidental activation can lead to unintended processing or disclosure of sensitive markdown content.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The AI trigger guidance tells the agent to enter outbound/share mode based on ambiguous intent signals such as '发给我', '给我看看', '预览', or simply being in an IM channel. Those conditions are broad enough that normal conversational requests could be interpreted as authorization to generate shareable artifacts or links, creating a risk of unintended transmission beyond the local environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill contains detailed workflows for generating public URLs, sending files to enterprise messaging platforms, and publishing multi-format outputs, but it does not require a clear user-facing privacy warning at the point of action. In context, the skill is aimed at reports, proposals, reviews, and customer materials, which often contain confidential business information, so sharing without an explicit exposure warning materially increases data leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically copies the full input markdown into a persistent knowledge-base path under ~/knowledge/huo15 unless --no-archive is supplied. In an agent skill context, input markdown may contain sensitive business content, internal links, tokens, or personal data, so silent persistence creates an unintended data-retention and confidentiality risk, especially on shared or managed hosts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The fallback explicitly instructs the agent to disclose local filesystem paths to the user. Local paths can reveal usernames, directory layouts, temporary workspace names, project structure, or internal host/container conventions, which may aid reconnaissance or leak sensitive environment details unnecessarily; in this skill, the AI instruction further tells the agent to do this automatically without repeated confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script renders attacker-controlled Markdown as HTML inside Puppeteer with normal network access enabled via page.setContent(..., { waitUntil: 'networkidle0' }). If the Markdown or generated HTML can reference remote images, fonts, scripts, Mermaid resources, or other external URLs, rendering may leak metadata/IP, trigger unintended outbound requests, or interact with internal network resources in SSRF-like scenarios when processing untrusted content.

Known Vulnerable Dependency: markdown-it==14.1.0 — 1 advisory(ies): CVE-2026-2327 (markdown-it is has a Regular Expression Denial of Service (ReDoS))

Low
Category
Supply Chain
Confidence
87% confidence
Finding
markdown-it==14.1.0

Known Vulnerable Dependency: katex==0.16.11 — 1 advisory(ies): CVE-2025-23207 (KaTeX \htmlData does not validate attribute names)

Low
Category
Supply Chain
Confidence
84% confidence
Finding
katex==0.16.11

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.