by 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly does what its name says (convert Markdown to KMind images locally) and asks for reasonable resources (node, a browser), but there are prompt‑injection indicators in the SKILL.md and a large bundled JS payload that should be audited before trusting it on sensitive machines.
评估建议
What to consider before installing/running: 1) Source is unknown and there is no homepage — prefer packages from known authors. 2) The skill bundles several megabytes of JS and will execute locally; inspect the vendor files (search for network calls, puppeteer/playwright, fetch/https/http, and any hardcoded URLs). 3) The SKILL.md triggered 'base64-block' and 'unicode-control-chars' heuristics — open the SKILL.md in a hex/text viewer and search for hidden or encoded payloads; decode any base64 yo...详细分析 ▾
✓ 用途与能力
Name/description match the requested binaries and config. Requesting node and access to a browser (browser.enabled) is coherent for a local HTML/headless‑render export tool. Bundling a CLI and render code is expected for an offline renderer.
ℹ 指令范围
Runtime instructions are narrowly scoped to running the bundled CLI: node scripts/kmind-render.mjs ... and to using a local Chromium/browser for rendering. The SKILL.md explicitly states offline operation and does not declare network endpoints. However, the SKILL.md contains pre-scan prompt‑injection indicators (base64 block and unicode control characters) which could hide or obfuscate instructions — that is a red flag and warrants inspection of the raw SKILL.md for hidden content.
✓ 安装机制
No external install/downloads are declared; the skill is instruction+bundled code (no URL downloads). That is lower risk than fetching arbitrary remote binaries. The vendor files are large (several MB) — expected for a bundled renderer UI but they should be audited because the code will run locally.
✓ 凭证需求
The skill declares no environment variables or credentials. It only needs node and browser access, which match the stated purpose. No unrelated secrets are requested.
✓ 持久化与权限
always is false and the skill does not request system‑wide changes. It spawns a local child node process; nothing indicates it will modify other skills or agent config autonomously.
⚠ scripts/kmind-render.mjs:10
Shell command execution detected (child_process).
⚠ scripts/vendor/cli.mjs:6005
Shell command execution detected (child_process).
⚠ scripts/vendor/render-job-browser.js:96980
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/4/3
- Initial release: Convert Markdown outlines or plain text into KMind mind maps with SVG or PNG export. - Supports theme, layout, connector, light/dark appearance, and rainbow branch configurations. - Operates fully offline; no internet connection required. - Enables easy command-line use with sensible defaults and manual/auto browser modes. - Exposes only safe theme, layout, and edge route options for enhanced security. - Offers `.kmindz.svg` export for further editing in KMind Zen clients.
● 无害
安装命令
点击复制官方npx clawhub@latest install kmind-markdown-to-mindmap-cn
镜像加速npx clawhub@latest install kmind-markdown-to-mindmap-cn --registry https://cn.longxiaskill.com