auto-md2img
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: auto-md2img Version: 1.3.1 The skill bundle is classified as suspicious due to a significant discrepancy between its documented security features and the actual implementation in 'scripts/md_to_png.js'. While 'SKILL.md' and 'README.md' claim to provide path traversal protection via an output directory whitelist, filename sanitization, and input size limits, the code lacks these checks entirely, allowing for arbitrary file reads and writes. Furthermore, the script uses Puppeteer with '--no-sandbox' to render potentially untrusted Markdown, which poses a risk of XSS-based attacks if the input is not sanitized. The presence of 'fake' security claims in the documentation is a high-risk indicator of either poor quality or intentional misdirection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious Markdown document could run active browser content during image generation, potentially leaking the rendered private content or probing network resources.
Markdown is converted to HTML and inserted into a Puppeteer page, while Chromium is launched without its normal sandbox. If raw HTML or scripts are present in Markdown, they may execute during rendering and can make network requests from the browser context.
const html = marked.parse(block); ... await page.setContent(`<div ...>${html}</div>`, { waitUntil: 'networkidle0' }); ... args: ['--no-sandbox', '--disable-setuid-sandbox']Sanitize or escape raw HTML before rendering, disable script execution where possible, block outbound network requests in Puppeteer, and avoid `--no-sandbox` unless running inside a separate hardened container.
Installing or preparing the skill may fetch external packages and a browser runtime, so dependency provenance matters.
The skill depends on external npm packages with caret version ranges. That is expected for this converter, but exact installed code can vary without a lockfile or pinned versions.
"dependencies": { "marked": "^4.3.0", "puppeteer": "^21.7.0" }Declare the install requirements in registry metadata, include or verify a lockfile, and pin dependency versions for reproducible installs.
Private Markdown content may remain on disk if debug mode is used or if output directories are not cleaned.
Debug mode intentionally persists intermediate render artifacts and split Markdown content, which may include private user or conversation data.
When enabled with `--debug` flag: ... Saves intermediate HTML render files ... Saves raw pagination split content as separate text files
Use debug mode only for non-sensitive content, write outputs to a temporary directory, and delete generated logs/intermediate files after troubleshooting.