ClawAudit verdict
huo15-markdown-export
A Markdown-to-PDF/Word/HTML export skill using Node, markdown-it, and Puppeteer; no suspicious data exfiltration or credential access, all operations are local document rendering.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (7)
Pipe to python — executes piped content as Python code
SKILL.md · prose · downgraded · | python
HTTP request to bare IP address — common in malicious payloads
SKILL.md · code · http://127.0.0.1
<script> tag in markdown — potential code injection
SKILL.md · prose · downgraded · <script>
References sudo — requests elevated privileges
scripts/install-deps.sh · prose · downgraded · sudo
setuid — privilege escalation mechanism
scripts/md2pdf-puppet.js · prose · downgraded · setuid
Node http/https module — low-level network access
scripts/md-preview.js · prose · downgraded · require('http')
References agent configuration files
themes/DESIGN.md · prose · downgraded · CLAUDE.md
Permissions & capabilities
No declared permissions — minimal attack surface.
Is this flag fair?
Thanks — recorded.