by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and instructions mostly match a PDF tool, but there are risky install instructions (curl | sh from an unknown host) and scripts that probe multiple system/home directories which are disproportionate and worth manual review before use.
评估建议
This skill largely does what it claims, but take these precautions before installing or running it: 1) Do not run the curl | sh command referenced for Tectonic (handlers/latex.md) without verifying the source — prefer official releases (GitHub or vendor site) or install manually. 2) Manually review scripts/setup.sh and compile_latex.py for network calls, downloads, or commands that run arbitrary remote code. 3) Be aware browser_helper.js scans many home/cache locations to find Chromium; run in a...详细分析 ▾
✓ 用途与能力
Name/description align with the included files: HTML→PDF rendering (Playwright + Paged.js), LaTeX compilation, and PDF processing (pikepdf/pdfplumber). The provided Python/JS scripts implement the advertised functionality.
⚠ 指令范围
SKILL.md mandates running local scripts and forbids fallback tools; handlers and browser_helper.js perform broad system probing (enumerating many /home users and caches, inspecting env vars) to locate Playwright/Chromium. This goes beyond the minimal scope of converting a single document and may read system paths outside the working directory.
⚠ 安装机制
handlers/latex.md instructs installing Tectonic via a piped curl: `curl -fsSL https://drop-sh.fullyjustified.net | sh` (unknown domain). Remote install scripts piped to sh are high-risk. Playwright/Chromium installation via npm/npx is expected, but the tactile curl|sh step is disproportionate and unsafe unless the URL is verified.
ℹ 凭证需求
The skill does not declare required credentials or env vars, which is appropriate. The code does reference many standard environment variables (PLAYWRIGHT_PATH, NODE_PATH, APPDATA, HOME, SUDO_USER, PDF_EXTRA_BROWSER_PATHS) to locate browser installations — these are reasonable for locating binaries but the practice of scanning many home directories increases privacy exposure.
✓ 持久化与权限
The skill is not set to always:true and requests no platform-wide privileges. Scripts may install tools into the user home (e.g., tectonic) which is normal for build tooling, but this is not an elevated persistent privilege by itself.
⚠ scripts/browser_helper.js:51
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/30
PDF creation via HTML+Paged.js, academic papers, reports, KaTeX math, Mermaid diagrams
● 无害
安装命令 点击复制
官方npx clawhub@latest install minimax-pdf-pro
镜像加速npx clawhub@latest install minimax-pdf-pro --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制