← 返回 Skills 市场
1658
总下载
0
收藏
4
当前安装
1
版本数
在 OpenClaw 中安装
/install mxe
功能描述
Convert Markdown files to PDF, DOCX, or HTML with advanced formatting, Mermaid diagrams, custom fonts, and table of contents support.
安全使用建议
This skill appears to be a Markdown export tool, but there are red flags you should consider before installing or running its commands:
- SKILL.md tells the agent to cd into a hard-coded local path (/Users/tuan/.openclaw/workspace/mxe) and run `npm run build && npm link`. Those commands will execute whatever build scripts exist there and can modify your system npm links — do not run them on a machine unless you trust the contents of that directory.
- The registry metadata version (2.0.0) and package.json version (1.0.0) differ; the SKILL.md reveals a specific username ('tuan') in the path. These indicate sloppy packaging or a locally authored bundle rather than a vetted upstream release.
- Because there is no formal install spec pointing to a known release (GitHub, npm registry, etc.), prefer obtaining the tool from an official source or inspecting the repository contents yourself before running any build/install commands.
Recommended precautions:
- Ask the skill author for a canonical install URL (GitHub release or npm package) and a non-user-specific install instruction.
- Inspect the repository and package.json scripts in a safe environment (sandbox or VM) before running `npm run build` or `npm link`.
- If you must test on your workstation, run build steps in an isolated container or VM to avoid executing untrusted scripts and avoid global linking.
Given these inconsistencies and the potential to run arbitrary local build scripts, treat this skill as suspicious until you can verify its source and contents.
功能分析
Type: OpenClaw Skill
Name: mxe
Version: 2.0.0
The skill is classified as suspicious due to the instruction in `SKILL.md` for the AI agent to install an external global npm package (`npm i -g @mermaid-js/mermaid-cli`). While `@mermaid-js/mermaid-cli` is a legitimate tool, granting the agent the capability to install arbitrary global packages from the public registry introduces a significant supply chain risk and broad system modification permissions, even without clear evidence of intentional malicious behavior in this specific instance. The skill also demonstrates network access for downloading web articles, which is aligned with its stated purpose.
能力评估
Purpose & Capability
The SKILL.md and package.json both describe a Markdown-to-PDF/DOCX/HTML exporter with Mermaid support, which is coherent. However the registry metadata omitted a description while package.json provides one, and the package.json version (1.0.0) does not match the registry version (2.0.0). These mismatches are sloppy and reduce confidence but do not by themselves indicate malicious intent.
Instruction Scope
The runtime instructions direct the agent to run shell commands that access a hard-coded user path (/Users/tuan/.openclaw/workspace/mxe) and to execute `npm run build && npm link` there. That will execute whatever build scripts exist in that local workspace and modify the system npm links — actions beyond simply converting a file and potentially executing arbitrary code from a local directory. The SKILL.md otherwise stays on-topic (conversion options, mermaid, fonts, etc.), but the explicit local path and build/link instructions are unexpected and risky.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md instructs installing by cd'ing into a specific local workspace and running `npm run build` and `npm link`. This relies on local, user-specific files rather than a well-known package source and would execute unreviewed scripts. While no remote download URL is present, `npm run build` can run arbitrary code defined in package.json scripts if that workspace exists — a notable install-time risk.
Credentials
The skill does not request any environment variables, credentials, or config paths. That is proportional to the stated purpose (a local file conversion tool).
Persistence & Privilege
The skill is not marked always:true and uses default model-invocation settings (agent may invoke it autonomously). This is the platform default and acceptable here. The SKILL.md does include commands that would modify system state (npm link), but the skill does not request persistent privileges or modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mxe - 安装完成后,直接呼叫该 Skill 的名称或使用
/mxe触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
Mermaid, TOC, bookmarks, custom fonts
元数据
常见问题
Mxe 是什么?
Convert Markdown files to PDF, DOCX, or HTML with advanced formatting, Mermaid diagrams, custom fonts, and table of contents support. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1658 次。
如何安装 Mxe?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mxe」即可一键安装,无需额外配置。
Mxe 是免费的吗?
是的,Mxe 完全免费(开源免费),可自由下载、安装和使用。
Mxe 支持哪些平台?
Mxe 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mxe?
由 tuanpmt(@tuanpmt)开发并维护,当前版本 v2.0.0。
推荐 Skills