pixelmsg

This skill appears to do what it claims (render HTML templates to PNGs) but there are some mismatches you should consider before installing or running it: - Runtime requirements: The skill relies on Node.js and Playwright (and a Chromium browser) but the skill metadata does not declare these as required binaries. Plan to run `npm install` and `npx playwright install chromium` before using it. - Network access: Although SKILL.md says 'no external API calls', templates and the rendering environment use CDNs (fonts, Tailwind, Alpine) and one template (templates/shanghai-weather.html) performs a live fetch() to Open-Meteo. Because Playwright runs a full browser, template scripts can make arbitrary network requests — review templates for any unexpected fetch/XHRs or remote endpoints if you want to avoid outbound network traffic. - Workspace path assumptions: SKILL.md instructs copying the generated PNG into ~/.openclaw/workspace and returning a MEDIA: line. Ensure that path is correct for your runtime and that copying files there is acceptable. If your agent runtime uses a different workspace, adjust the script or delivery method. - Audit the templates: Templates are the active attack surface. Inspect all templates (and any new templates you accept) for remote endpoints, inline <script> that posts data, or obfuscated code. If you want to reduce network risk, host required JS/CSS/fonts locally and remove any fetch() calls. - Run in a sandbox first: Execute the render script in an isolated environment (container or VM) so you can observe network activity (eg. with tcpdump) and filesystem writes before enabling autonomous agent invocation. If you want, I can list every file that performs network calls or produce a short checklist of changes to lock the skill down (disable external fetches, vendor CDN assets, and make the workspace path configurable).