html-to-pdf Security Report — Trusted | ClawSafe

5 /100

html-to-pdf

Convert HTML files and URLs to PDF using Puppeteer

A legitimate HTML-to-PDF conversion tool using Puppeteer with no malicious behavior, obfuscation, or undeclared capabilities.

Skill Namehtml-to-pdf

Duration26.7s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 2 items

Severity	Finding	Location
Low	Browser resource not declared in SKILL.md Doc Mismatch The skill uses Puppeteer to launch a headless browser, which is a 'browser' resource. This is not explicitly declared in SKILL.md under features or capabilities. `const browser = await puppeteer.launch({ headless: 'new' });` → Add browser:READ to the capability mapping in SKILL.md frontmatter, e.g., 'browser: READ' via Puppeteer.	`scripts/html-to-pdf.js:17`
Low	Dependency puppeteer not version-pinned Supply Chain SKILL.md installation instructions use 'npm install puppeteer' without specifying a version, allowing major version updates. `npm install puppeteer` → Pin to a specific version, e.g., 'npm install puppeteer@23' or include a package.json.	`SKILL.md:64`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/html-to-pdf.js:36 - path.resolve() for input; writes PDF output
Network	`READ`	`READ`	✓ Aligned	scripts/html-to-pdf.js:28 - page.goto() for URL conversion; declared in SKILL.md…
Shell	`NONE`	`NONE`	—	No subprocess, exec, or shell command execution in implementation
Environment	`NONE`	`NONE`	—	No os.environ access or environment variable iteration
Browser	`NONE`	`READ`	✓ Aligned	scripts/html-to-pdf.js:17 - puppeteer.launch() spawns browser; should be declare…

4 files · 7.4 KB · 285 lines

Markdown 3f · 217L JavaScript 1f · 68L

├─ ▾ 📁 references

│ ├─ 📝 api.md Markdown 48L · 1.3 KB

│ └─ 📝 setup.md Markdown 79L · 1.9 KB

├─ ▾ 📁 scripts

│ └─ 📜 html-to-pdf.js JavaScript 68L · 2.0 KB

└─ 📝 SKILL.md Markdown 90L · 2.2 KB

Package	Version	Source	Known Vulns	Notes
`puppeteer`	`*`	npm	No	Version not pinned in installation instructions

✓ No obfuscation, base64 encoding, or anti-analysis patterns detected

✓ No credential harvesting or sensitive file/path access

✓ No data exfiltration or external IP communication beyond the declared URL conversion feature

✓ No reverse shell, C2, or persistence mechanisms

✓ Code is clean, readable, and straightforward

✓ SKILL.md documentation accurately describes all core capabilities

✓ No hidden instructions or prompt injection vectors

✓ Error handling uses standard practices without suspicious behaviors