Is bowenliang123/markdown-exporter safe?

https://github.com/openclaw/skills/tree/main/skills/bowenliang123/markdown-exporter

89
SAFE

The markdown-exporter skill is a well-structured, documentation-only SKILL.md with no prompt injection, hidden instructions, or active data exfiltration. The primary risk vectors are design-level: the tool accepts arbitrary filesystem paths for input and output (enabling misuse under adversarial prompting), the md_to_codeblock feature can write executable scripts to disk from untrusted markdown, and the PyPI runtime (md-exporter) was not inspected during this audit. No canary data was exfiltrated and clone behavior was entirely expected.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

MEDIUM PyPI runtime not audited — supply chain blind spot -15

The SKILL.md installs md-exporter from PyPI at user install time. This audit only covers the skill definition files; the actual Python package code executing on user machines was not inspected. A compromised or typosquatted PyPI release would not be caught by SKILL.md-level review.

MEDIUM md_to_codeblock enables code planting from untrusted markdown -16

The code-block extraction feature writes fenced code in any language to named files in a user-specified directory. If an agent is directed to process attacker-supplied markdown, this converts the skill into a code-write primitive. Combined with an execution skill or cron scheduler, this achieves arbitrary code execution.

LOW Template file option allows arbitrary sensitive file read -8

md_to_docx and md_to_pptx accept --template pointing to any path. An agent manipulated via prompt injection could pass ~/.ssh/id_rsa or ~/.aws/credentials as a template, causing the tool to read and potentially embed secrets in the output document.

LOW md_to_html_text stdout output enables in-context data leakage -7

md_to_html_text writes converted HTML to stdout rather than a file. In an agent context, stdout is typically captured into the agent's context window. A crafted input could embed sensitive file content (previously read by the agent) into a form that gets relayed back to an attacker through the agent's response.

INFO Canary files accessed only by monitoring infrastructure 0

All six canary files were opened read-only before the install began (10:50:14 vs clone at 10:50:19). This is consistent with the Oathe monitoring framework establishing baselines. Content was not modified. No skill-attributed process touched sensitive credential files.