Lightweight document utility designed to convert files to Markdown (MD), built specifically for intelligent agents (e.g., OpenClaw, ClaudeCode) to read and p...
Security Analysis
medium confidenceThe skill's code, instructions, and requirements are consistent with a document-to-Markdown converter that uploads files to the lab.hjcloud.com conversion service; the main risk is expected — uploading documents to a third‑party service and writing output to the local directory.
Name, description, SKILL.md, and the included Node script all describe and implement the same behavior: read a local file, POST it to https://lab.hjcloud.com/llmdoc, poll for conversion, download a ZIP or single MD, and write output next to the source. Required binary 'node' is appropriate.
Instructions and code explicitly read the provided file, upload it to the remote service, poll for status, download results, and write files into the source file's parent directory. This is within the declared scope, but it does involve uploading user documents off‑host and creating files/directories locally — both are explicit in SKILL.md and should be acceptable only if the user is comfortable with that.
No install spec; the skill is a bundled Node script and SKILL.md that runs with the system 'node' binary. Nothing is downloaded from unknown URLs during install; network activity occurs at runtime to the service endpoint.
The skill requests no environment variables or credentials. It communicates with a single service endpoint (lab.hjcloud.com) which matches the skill purpose. No unrelated secrets or config paths are requested.
The skill does not request persistent or elevated platform privileges and is not configured always:true. It reads/writes files only in the same directory as the supplied source file (as documented).
Guidance
This skill appears to do what it says: it uploads files to lab.hjcloud.com for conversion and saves results next to the original file. Before installing or using it, consider: (1) Do not upload sensitive/confidential documents unless you trust the service and have reviewed its privacy/data‑retention policy; the SKILL.md warns about this. (2) Verify the endpoint (lab.hjcloud.com) and the project homepage; test with non‑sensitive files first. (3) Review the rest of the script (particularly ZIP extraction code) for path traversal or overwrite behavior if you need stronger assurance — the provided code writes output to the source directory. (4) If you require offline conversion for sensitive data, prefer a purely local converter instead.
Latest Release
v1.0.10
- Added support for two download modes: single merged Markdown file (--md) and full Markdown package (ZIP with images and tables). - Updated Quick Start instructions to document both modes. - Expanded documentation with a "Download Modes" section explaining when to use each mode. - Clarified output location for both MD and ZIP extraction. - Improved privacy notice for sensitive document handling.
More by @haoyt27
Published by @haoyt27 on ClawHub
