← Back to Skills Marketplace
1658
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install mxe
Description
Convert Markdown files to PDF, DOCX, or HTML with advanced formatting, Mermaid diagrams, custom fonts, and table of contents support.
Usage Guidance
This skill appears to be a Markdown export tool, but there are red flags you should consider before installing or running its commands:
- SKILL.md tells the agent to cd into a hard-coded local path (/Users/tuan/.openclaw/workspace/mxe) and run `npm run build && npm link`. Those commands will execute whatever build scripts exist there and can modify your system npm links — do not run them on a machine unless you trust the contents of that directory.
- The registry metadata version (2.0.0) and package.json version (1.0.0) differ; the SKILL.md reveals a specific username ('tuan') in the path. These indicate sloppy packaging or a locally authored bundle rather than a vetted upstream release.
- Because there is no formal install spec pointing to a known release (GitHub, npm registry, etc.), prefer obtaining the tool from an official source or inspecting the repository contents yourself before running any build/install commands.
Recommended precautions:
- Ask the skill author for a canonical install URL (GitHub release or npm package) and a non-user-specific install instruction.
- Inspect the repository and package.json scripts in a safe environment (sandbox or VM) before running `npm run build` or `npm link`.
- If you must test on your workstation, run build steps in an isolated container or VM to avoid executing untrusted scripts and avoid global linking.
Given these inconsistencies and the potential to run arbitrary local build scripts, treat this skill as suspicious until you can verify its source and contents.
Capability Analysis
Type: OpenClaw Skill
Name: mxe
Version: 2.0.0
The skill is classified as suspicious due to the instruction in `SKILL.md` for the AI agent to install an external global npm package (`npm i -g @mermaid-js/mermaid-cli`). While `@mermaid-js/mermaid-cli` is a legitimate tool, granting the agent the capability to install arbitrary global packages from the public registry introduces a significant supply chain risk and broad system modification permissions, even without clear evidence of intentional malicious behavior in this specific instance. The skill also demonstrates network access for downloading web articles, which is aligned with its stated purpose.
Capability Assessment
Purpose & Capability
The SKILL.md and package.json both describe a Markdown-to-PDF/DOCX/HTML exporter with Mermaid support, which is coherent. However the registry metadata omitted a description while package.json provides one, and the package.json version (1.0.0) does not match the registry version (2.0.0). These mismatches are sloppy and reduce confidence but do not by themselves indicate malicious intent.
Instruction Scope
The runtime instructions direct the agent to run shell commands that access a hard-coded user path (/Users/tuan/.openclaw/workspace/mxe) and to execute `npm run build && npm link` there. That will execute whatever build scripts exist in that local workspace and modify the system npm links — actions beyond simply converting a file and potentially executing arbitrary code from a local directory. The SKILL.md otherwise stays on-topic (conversion options, mermaid, fonts, etc.), but the explicit local path and build/link instructions are unexpected and risky.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md instructs installing by cd'ing into a specific local workspace and running `npm run build` and `npm link`. This relies on local, user-specific files rather than a well-known package source and would execute unreviewed scripts. While no remote download URL is present, `npm run build` can run arbitrary code defined in package.json scripts if that workspace exists — a notable install-time risk.
Credentials
The skill does not request any environment variables, credentials, or config paths. That is proportional to the stated purpose (a local file conversion tool).
Persistence & Privilege
The skill is not marked always:true and uses default model-invocation settings (agent may invoke it autonomously). This is the platform default and acceptable here. The SKILL.md does include commands that would modify system state (npm link), but the skill does not request persistent privileges or modify other skills' configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mxe - After installation, invoke the skill by name or use
/mxe - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
Mermaid, TOC, bookmarks, custom fonts
Metadata
Frequently Asked Questions
What is Mxe?
Convert Markdown files to PDF, DOCX, or HTML with advanced formatting, Mermaid diagrams, custom fonts, and table of contents support. It is an AI Agent Skill for Claude Code / OpenClaw, with 1658 downloads so far.
How do I install Mxe?
Run "/install mxe" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mxe free?
Yes, Mxe is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Mxe support?
Mxe is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mxe?
It is built and maintained by tuanpmt (@tuanpmt); the current version is v2.0.0.
More Skills