convert-markdown 安全扫描报告 — 可信 | ClawSafe

0 /100

convert-markdown

基于 MarkItDown 的多格式文档转换技能，支持 PDF、Word、PowerPoint、Excel 等批量转换为 Markdown

This is a legitimate document-conversion skill wrapping Microsoft MarkItDown with no malicious behavior detected. All shell usage is explicit, documented, and appropriate for a CLI tool.

技能名称convert-markdown

分析耗时33.2s

引擎pi

✓

可以安装

No action needed. The skill is safe to deploy and use.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	scripts/convert_markonverter.py:17 — Path.read/write_text only for input/output …
文件系统	`WRITE`	`WRITE`	✓ 一致	scripts/convert_markonverter.py:62 — writes .md output files; kb_index_generator…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md mentions YouTube URLs and HTML as supported inputs, handled by markitdo…
命令执行	`NONE`	`WRITE`	✓ 一致	scripts/cli.py:16,41 — subprocess.run() calls Python scripts; shell=False, no us…
环境变量	`NONE`	`NONE`	—	No os.environ access anywhere in the codebase
技能调用	`NONE`	`NONE`	—	No inter-skill invocation found
剪贴板	`NONE`	`NONE`	—	No clipboard access found
浏览器	`NONE`	`NONE`	—	No browser automation found
数据库	`NONE`	`NONE`	—	No database access found

2 项发现

🔗

中危外部 URL 外部 URL

https://youtu.be/xxx

references/FORMATS.md:64

🔗

中危外部 URL 外部 URL

https://ocrmypdf.readthedocs.io/

references/PDF_CONFIG.md:126

目录结构

12 文件 · 50.4 KB · 1758 行

Markdown 5f · 997L Python 4f · 584L JSON 2f · 127L JavaScript 1f · 50L

├─ ▾ 📁 bin

│ └─ 📜 convert-markdown.js JavaScript 50L · 1.2 KB

├─ ▾ 📁 references

│ ├─ 📝 API_REFERENCE.md Markdown 325L · 7.7 KB

│ ├─ 📝 FORMATS.md Markdown 95L · 3.0 KB

│ └─ 📝 PDF_CONFIG.md Markdown 125L · 3.2 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 batch_convert.py Python 127L · 4.0 KB

│ ├─ 🐍 cli.py Python 136L · 4.3 KB

│ ├─ 🐍 convert_markonverter.py Python 108L · 3.2 KB

│ └─ 🐍 kb_index_generator.py Python 213L · 8.0 KB

├─ 📋 manifest.json JSON 66L · 1.9 KB

├─ 📋 package.json JSON 61L · 1.6 KB

├─ 📝 README.md Markdown 165L · 4.2 KB

└─ 📝 SKILL.md Markdown 287L · 8.1 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`markitdown`	`>=0.1.5`	pip	否	Official Microsoft tool; version constraint present
`python`	`>=3.10`	runtime	否	Declared in manifest.json

安全亮点

✓ No base64, eval, atob, or obfuscated code present

✓ No credential or environment variable harvesting

✓ No external IP connections or data exfiltration

✓ No curl|bash or remote script execution

✓ No hidden HTML comments or prompt injection

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ subprocess.run() uses shell=False — no command injection risk

✓ All capabilities are explicitly declared in SKILL.md

✓ Dependencies are well-known open-source (markitdown, python)

✓ All scripts are pure document-conversion logic with no covert side effects

✓ package.json has no dependencies and devDependencies — no supply chain risk