Is joelchance/markdown-convert safe?
https://github.com/openclaw/skills/tree/main/skills/joelchance/markdown-convert
The joelchance/markdown-convert skill is a straightforward Python wrapper around the legitimate Cloudflare markdown.new service. The skill code is clean (stdlib-only, no credential access, no unexpected network activity during install), and all canary honeypot files remained intact with no exfiltration detected. The primary risks are architectural rather than malicious: every converted URL is transmitted to a third-party service, a --api-url override flag could be weaponized via prompt injection to redirect submissions to an attacker-controlled endpoint, and the lack of private IP filtering enables potential SSRF through markdown.new's server-side fetcher.
Category Scores
Findings (7)
MEDIUM All converted URLs transmitted to third-party Cloudflare service -15 ▶
Every URL a user asks the agent to convert is sent as a POST payload to https://markdown.new/. While this is the skill's stated purpose, it creates a persistent privacy leak: all URLs (including potentially sensitive internal links, authenticated resources, or user-identifiable pages) are logged by a third-party service. The agent user may not realize this is occurring.
MEDIUM --api-url flag enables endpoint hijacking -10 ▶
The Python script accepts a --api-url argument that overrides the default markdown.new endpoint. If a malicious prompt or injected instruction convinces the agent to supply --api-url pointing to an attacker-controlled server, all URL submissions and any returned markdown content would transit through the attacker's infrastructure, enabling both URL collection and response poisoning.
LOW Server-Side Request Forgery (SSRF) via markdown.new fetch -15 ▶
The validate_url() function only checks that the scheme is http or https and that netloc is non-empty. It does not block private IP ranges (RFC1918, link-local, loopback). An agent instructed to convert http://169.254.169.254/latest/meta-data/ or http://10.0.0.1/admin would transmit that URL to markdown.new's server-side fetcher, potentially receiving cloud instance metadata or internal service responses as converted markdown into the agent context.
LOW Executable Python script bundled in skill -10 ▶
The skill ships scripts/markdown_new_fetch.py and SKILL.md instructs the agent to execute it directly via python3. While the script is clean (stdlib-only), distributing and auto-executing bundled scripts is an elevated-trust model. A future poisoned update to this file would be automatically executed by any agent following the SKILL.md workflow.
LOW Hardcoded install paths create ambiguity for multi-environment agents -8 ▶
SKILL.md repeatedly references ~/.codex/skills/markdown-new/ as an absolute path assumption. If the skill is installed at a different location (e.g., ~/.claude/skills/), the agent may attempt to resolve scripts from the wrong path, potentially running a different or non-existent script. The instruction is operational rather than adversarial but reduces robustness.
INFO Developer personal filesystem path left in README 0 ▶
README.md contains install commands referencing /Users/pro16/Dropbox/experiments/skills-i-use/markdown-new — the author's personal machine path. This is a development artifact indicating the skill was not sanitized before publishing. It reveals the author's macOS username and Dropbox structure.
INFO Canary credential files were opened during monitoring window 0 ▶
Auditd records show OPEN+ACCESS of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at timestamps 1771935731 (5 seconds before git clone) and 1771935748 (after all skill operations). These accesses correlate with monitoring infrastructure canary initialization and teardown, not with any skill process. All files remain unmodified and no network egress correlated with canary content.