convert-markdown Security Report — Trusted | ClawSafe

0 /100

convert-markdown

基于 MarkItDown 的多格式文档转换技能，支持 PDF、Word、PowerPoint、Excel 等批量转换为 Markdown

This is a legitimate document-conversion skill wrapping Microsoft MarkItDown with no malicious behavior detected. All shell usage is explicit, documented, and appropriate for a CLI tool.

Skill Nameconvert-markdown

Duration33.2s

Enginepi

✓

Safe to install

No action needed. The skill is safe to deploy and use.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	scripts/convert_markonverter.py:17 — Path.read/write_text only for input/output …
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/convert_markonverter.py:62 — writes .md output files; kb_index_generator…
Network	`READ`	`READ`	✓ Aligned	SKILL.md mentions YouTube URLs and HTML as supported inputs, handled by markitdo…
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/cli.py:16,41 — subprocess.run() calls Python scripts; shell=False, no us…
Environment	`NONE`	`NONE`	—	No os.environ access anywhere in the codebase
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No database access found

2 findings

🔗

Medium External URL 外部 URL

https://youtu.be/xxx

references/FORMATS.md:64

🔗

Medium External URL 外部 URL

https://ocrmypdf.readthedocs.io/

references/PDF_CONFIG.md:126

File Tree

12 files · 50.4 KB · 1758 lines

Markdown 5f · 997L Python 4f · 584L JSON 2f · 127L JavaScript 1f · 50L

├─ ▾ 📁 bin

│ └─ 📜 convert-markdown.js JavaScript 50L · 1.2 KB

├─ ▾ 📁 references

│ ├─ 📝 API_REFERENCE.md Markdown 325L · 7.7 KB

│ ├─ 📝 FORMATS.md Markdown 95L · 3.0 KB

│ └─ 📝 PDF_CONFIG.md Markdown 125L · 3.2 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 batch_convert.py Python 127L · 4.0 KB

│ ├─ 🐍 cli.py Python 136L · 4.3 KB

│ ├─ 🐍 convert_markonverter.py Python 108L · 3.2 KB

│ └─ 🐍 kb_index_generator.py Python 213L · 8.0 KB

├─ 📋 manifest.json JSON 66L · 1.9 KB

├─ 📋 package.json JSON 61L · 1.6 KB

├─ 📝 README.md Markdown 165L · 4.2 KB

└─ 📝 SKILL.md Markdown 287L · 8.1 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`markitdown`	`>=0.1.5`	pip	No	Official Microsoft tool; version constraint present
`python`	`>=3.10`	runtime	No	Declared in manifest.json

Security Positives

✓ No base64, eval, atob, or obfuscated code present

✓ No credential or environment variable harvesting

✓ No external IP connections or data exfiltration

✓ No curl|bash or remote script execution

✓ No hidden HTML comments or prompt injection

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ subprocess.run() uses shell=False — no command injection risk

✓ All capabilities are explicitly declared in SKILL.md

✓ Dependencies are well-known open-source (markitdown, python)

✓ All scripts are pure document-conversion logic with no covert side effects

✓ package.json has no dependencies and devDependencies — no supply chain risk

Scan Report

File Tree

Dependencies 2 items

Security Positives