Is khimyoung/academic-formula-converter safe?

https://github.com/openclaw/skills/tree/main/skills/khimyoung/academic-formula-converter

89
SAFE

The academic-formula-converter is a benign LaTeX-to-docx/HTML Python conversion skill with clean SKILL.md documentation and no prompt injection, persona manipulation, or active data exfiltration. The skill's executable Python performs unrestricted file I/O on user-specified paths and reads arbitrary file paths embedded in markdown image syntax, representing a low-risk attack surface if fed crafted input; however, no malicious behavior was observed during sandboxed installation or in static analysis. All canary files remained intact, post-install audit accesses are attributable to the oathe monitoring framework rather than skill execution, and the only network activity during install was the expected GitHub clone.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 87/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (5)

LOW Arbitrary File Read via Markdown Image Path Parsing -10

formula_converter.py extracts image paths from markdown using regex and calls os.path.exists() then doc.add_picture() on the result. Any valid filesystem path embedded in markdown image syntax (e.g., x) will trigger a file-open attempt. python-docx will reject non-image content but the OS still opens the file descriptor, potentially leaking file existence and triggering read-auditing.

LOW Executable Python Performs Unrestricted File I/O on User-Specified Paths -12

SKILL.md instructs agents to invoke formula_converter.py with arbitrary input and output paths. The script opens the input path for reading and the output path for writing without any path validation or sandboxing. An agent could be directed to read sensitive files as input or overwrite arbitrary files as output.

LOW Unsanitized HTML Title and Content Enables XSS in Output Documents -8

The H1 heading extracted from markdown is inserted directly into the HTML tag via an f-string without HTML-escaping. A markdown file with a crafted title (e.g., containing ) would produce a weaponized HTML file. If an agent delivers this output to a user who opens it in a browser, stored XSS executes.

INFO Post-Install Canary File Access in Audit Records Not Attributable to Skill -5

Audit PATH records show all 6 canary files accessed at 1771938673.845, approximately 4 seconds after install completed. However, formula_converter.py was never executed (absent from process execution log). Access pattern (all 6 files, same microsecond timestamp group) matches audit framework teardown scan rather than skill activity. Canary integrity monitor confirms no content modification or network exfiltration.

INFO Lock File References Unrelated Skill — Sloppy Packaging -5

.clawhub/lock.json shipped inside this skill's directory contains a dependency record for 'academic-research-hub' v0.1.0 (installedAt: 1770957475341), a completely different skill. This file was likely copied from a shared development environment and left in the release. It is not an active attack vector but indicates poor release hygiene.