baoyu-url-to-markdown Security Report — Trusted | ClawSafe

5 /100

baoyu-url-to-markdown

Fetch any URL and convert to markdown using Chrome CDP. Saves the rendered HTML snapshot alongside the markdown, uses an upgraded Defuddle pipeline with better web-component handling and YouTube transcript extraction.

baoyu-url-to-markdown is a legitimate web scraping and URL-to-markdown conversion skill with no malicious behavior detected. All operations—Chrome CDP automation, network requests, file writes, and environment variable usage—are documented and necessary for its stated purpose.

Skill Namebaoyu-url-to-markdown

Duration61.1s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use as documented.

Findings 2 items

Severity	Finding	Location
Low	Hardcoded placeholder IP in User-Agent The DEFAULT_USER_AGENT constant in scripts/constants.ts contains 'Chrome/130.0.0.0' — the IP portion is a non-routable placeholder that will never connect to anything. It's cosmetic only and present in the download user agent as well. `Chrome/130.0.0.0 Safari/537.36` → Replace with a proper Chrome version string (e.g., Chrome/131.0.0.0) for better compatibility and less ambiguity in IOC scans.	`scripts/constants.ts:4`
Low	Shell spawn (ps aux) used for port detection The vendor CDP library calls spawnSync('ps', ['aux']) to scan for existing Chrome debug ports. This is a documented diagnostic technique for Chrome automation and is not used for arbitrary command execution. `spawnSync('ps', ['aux'], { encoding: 'utf-8', timeout: 5000 })` → No action needed. This is expected behavior for the CDP Chrome discovery flow.	`scripts/vendor/baoyu-chrome-cdp/src/index.ts:220`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	main.ts writes markdown/html to configurable output dirs; SKILL.md declares medi…
Network	`READ`	`READ`	✓ Aligned	main.ts fetches target URLs via CDP and defuddle.md; media-localizer.ts download…
Shell	`NONE`	`WRITE`	✓ Aligned	cdp.ts uses spawn() to launch Chrome and spawnSync('ps') to detect existing Chro…
Environment	`NONE`	`READ`	✓ Aligned	paths.ts and cdp.ts read URL_CHROME_PATH, URL_DATA_DIR, URL_CHROME_PROFILE_DIR; …
Skill Invoke	`NONE`	`NONE`	—	N/A
Clipboard	`NONE`	`NONE`	—	N/A
Browser	`WRITE`	`WRITE`	✓ Aligned	cdp.ts and SKILL.md document Chrome CDP automation (launch, navigate, evaluate s…
Database	`NONE`	`NONE`	—	N/A

1 High 5 findings

📡

High IP Address 硬编码 IP 地址

130.0.0.0

scripts/constants.ts:4

🔗

Medium External URL 外部 URL

https://defuddle.md/

SKILL.md:207

🔗

Medium External URL 外部 URL

https://defuddle.md/stephango.com

SKILL.md:255

🔗

Medium External URL 外部 URL

https://defuddle.md/$

scripts/main.ts:101

🔗

Medium External URL 外部 URL

https://gemini.google.com/app

scripts/vendor/baoyu-chrome-cdp/src/index.test.ts:242

File Tree

15 files · 104.6 KB · 3199 lines

TypeScript 11f · 2809L Markdown 2f · 367L JSON 2f · 23L

├─ ▾ 📁 references

│ └─ ▾ 📁 config

│ └─ 📝 first-time-setup.md Markdown 106L · 2.4 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 vendor

│ │ └─ ▾ 📁 baoyu-chrome-cdp

│ │ ├─ ▾ 📁 src

│ │ │ ├─ 📜 index.test.ts TypeScript 307L · 9.3 KB

│ │ │ └─ 📜 index.ts TypeScript 523L · 16.8 KB

│ │ └─ 📋 package.json JSON 9L · 140 B

│ ├─ 📜 cdp.ts TypeScript 179L · 5.7 KB

│ ├─ 📜 constants.ts TypeScript 13L · 544 B

│ ├─ 📜 defuddle-converter.ts TypeScript 58L · 1.9 KB

│ ├─ 📜 html-to-markdown.ts TypeScript 135L · 4.3 KB

│ ├─ 📜 legacy-converter.ts TypeScript 629L · 17.9 KB

│ ├─ 📜 main.ts TypeScript 314L · 11.1 KB

│ ├─ 📜 markdown-conversion-shared.ts TypeScript 305L · 9.7 KB

│ ├─ 📜 media-localizer.ts TypeScript 317L · 9.5 KB

│ ├─ 📋 package.json JSON 14L · 347 B

│ └─ 📜 paths.ts TypeScript 29L · 1.1 KB

└─ 📝 SKILL.md Markdown 261L · 13.9 KB

Dependencies 7 items

Package	Version	Source	Known Vulns	Notes
`@mozilla/readability`	`^0.6.0`	npm	No	Mozilla's standard HTML-to-readability parser
`baoyu-chrome-cdp`	`file:./vendor/baoyu-chrome-cdp`	local	No	Bundled vendor library for Chrome CDP connection
`defuddle`	`^0.12.0`	npm	No	Markdown extraction pipeline; falls back to defuddle.md hosted API
`jsdom`	`^24.1.3`	npm	No	DOM parser for HTML processing
`linkedom`	`^0.18.12`	npm	No	Alternative DOM-like parser
`turndown`	`^7.2.2`	npm	No	HTML-to-Markdown converter
`turndown-plugin-gfm`	`^1.0.2`	npm	No	GitHub Flavored Markdown plugin for turndown

Security Positives

✓ No credential harvesting — no access to ~/.ssh, ~/.aws, .env, or environment key iteration

✓ No data exfiltration — all network egress is scoped to fetching the target URL and its media

✓ No reverse shell, C2, or eval() of decoded payloads

✓ No curl|bash or wget|sh remote script execution

✓ No hidden functionality — SKILL.md documents all features including the defuddle.md fallback API

✓ No suspicious base64 payloads or obfuscated code paths

✓ Chrome profile data stays in a scoped app-specific directory (baoyu-skills/chrome-profile)

✓ Files are written only to configurable output directories, not to arbitrary system paths

✓ All dependencies are well-known open-source packages with version constraints

Scan Report

Findings 2 items

File Tree

Dependencies 7 items

Security Positives