Is md2pdf-converter safe?

https://clawhub.ai/tianxingleo/md2pdf-converter

62
CAUTION

This skill is a Markdown-to-PDF converter that executes a bash script downloading a ~68MB tarball from a third-party npm mirror (npmmirror.com) without checksum verification, then runs it through Pandoc with a dynamically generated Lua filter. While the SKILL.md contains no prompt injection and the skill's stated purpose is legitimate, the unverified remote download pipeline and use of a non-canonical registry represent meaningful supply-chain risk. The skill creates persistent state in the user's home directory and chains multiple external tools for code execution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

HIGH Unverified remote tarball download and extraction -40

The script downloads emoji-datasource-google-15.0.0.tgz from registry.npmmirror.com via wget and extracts it with tar without any checksum or signature verification. A compromised or MITM'd mirror could serve arbitrary content that gets extracted to the user's filesystem.

MEDIUM Dynamic Lua code generation with path injection -15

The script generates a Lua filter by substituting shell variables into a template using sed. The EMOJI_DIR path is injected into Lua source code. While the default path is safe, this pattern is fragile and could be exploited if the cache directory path contained Lua metacharacters.

MEDIUM Third-party mirror instead of canonical registry -25

The skill uses registry.npmmirror.com (a China-friendly npm mirror) rather than the canonical registry.npmjs.org. While npmmirror is a well-known mirror, using a non-canonical source increases supply-chain attack surface. Users outside China gain no benefit from this choice.

MEDIUM Persistent filesystem writes outside skill directory -10

The script creates and writes to ~/.cache/md2pdf/ in the user's home directory, establishing persistent state that survives across agent sessions. This is a common pattern for caches but expands the skill's filesystem footprint beyond its own directory.

LOW Script executes multiple external tools -10

The script chains wget, tar, pandoc, and weasyprint. Each of these is a significant external dependency with its own attack surface. WeasyPrint in particular renders HTML/CSS and could be vulnerable to crafted input.

LOW Sensitive file access during installation phase -25

During installation, the monitoring detected reads to .env, .aws/credentials, and auth-profiles.json. These appear to be from the OpenClaw platform infrastructure rather than the skill code, but they occurred in the context of this skill's installation.

INFO Clean SKILL.md with no injection attempts -10

The SKILL.md file contains only legitimate documentation about the tool's usage, features, and troubleshooting. No hidden instructions, persona overrides, or obfuscated content detected.