Url Images To Pdf

从URL提取图片并生成PDF（保持原文顺序，不排序）

This script is functionally coherent but has two actionable issues to consider before installing or running it: (1) It is narrowly targeted to WeChat (mmbiz) image URLs even though the doc claims general webpage support — expect it to miss images on many sites. (2) Command-injection risk: the code uses execSync with a shell string that includes the raw URL. If you or the agent will pass URLs you don't control, don't run it as-is. Suggested mitigations: replace the curl execSync call with a safe HTTP fetch implemented in Node (https/http or node-fetch/axios) or call curl via execFile/child_process.spawn with arguments (not via a single shell string), validate and strictly sanitize the URL (allow only https URLs and reject characters like backticks, $(), semicolons), and declare curl as a dependency in SKILL.md if you keep it. Also consider expanding or making the image-extraction regexes configurable if you expect non-mmbiz pages. Finally, test the script in an isolated environment (sandbox) before running on sensitive hosts.

Type: OpenClaw Skill Name: url-images-to-pdf Version: 1.0.2 The `extract.js` script contains a critical command injection vulnerability. It uses `child_process.execSync` to execute a `curl` command with user-provided input (`process.argv[2]`) without proper sanitization. This allows an attacker to inject arbitrary shell commands via the URL argument, leading to Remote Code Execution (RCE). While this is a severe vulnerability, there is no clear evidence of intentional malicious behavior (e.g., data exfiltration, persistence) by the skill itself, classifying it as suspicious rather than malicious.