Html To Image
Analysis
This skill is suspicious because it asks the agent to install and run an unpinned CLI, authenticate through Membrane, and make broad credentialed API/proxy calls with limited safeguards.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
`clientAction.agentInstructions` (optional) — instructions for the AI agent on how to proceed programmatically.
The skill tells the agent to consume instructions returned by the connection service, without limiting those instructions to the user's original request or treating them as untrusted.
`membrane request CONNECTION_ID /path/to/endpoint` ... `HTTP method (GET, POST, PUT, PATCH, DELETE)` ... `injects the correct authentication headers`
The skill exposes broad authenticated proxy requests with user-controlled paths and mutating HTTP methods, without clear approval, scope, or rollback limits.
`npm install -g @membranehq/cli@latest`; `Official docs: https://htmlcsstoimage.com/docs`; `membrane connection ensure "https://htmlcsstoimg.com/" --json`
The skill depends on an unpinned global npm install and also shows a connection URL that differs from the official docs domain, creating provenance and dependency ambiguity.
Install the Membrane CLI so you can run `membrane` from the terminal: `npm install -g @membranehq/cli@latest`
The runtime instructions ask the user or agent to execute a global package installation even though the registry describes the skill as instruction-only with no install spec.
`membrane action run <actionId> --connectionId=CONNECTION_ID --input '{"key": "value"}' --json` and proxy methods include `POST, PUT, PATCH, DELETE`A single wrong action id, input payload, endpoint path, or method can propagate into authenticated remote API activity, with no containment or rollback guidance.
`Membrane handles authentication and credentials refresh automatically — so you can focus on the integration logic rather than auth plumbing.`
The wording frames credential handling as convenience; it is not deceptive by itself, but users should recognize that delegated credentials and refresh are significant security decisions.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
`Requires network access and a valid Membrane account` ... `Membrane handles authentication and credentials refresh automatically` ... `injects the correct authentication headers`
The skill relies on delegated account access, automatic credential refresh, and credential injection into proxied requests, but does not clearly bound the scope or lifetime of that authority.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
`Each result includes id, name, description, inputSchema ...` and `clientAction.agentInstructions`
The skill places externally returned descriptions, schemas, and agent instructions into the agent's working context; this is purpose-aligned but should not be treated as higher authority than the user's request.
When the available actions don't cover your use case, you can send requests directly to the HTML to Image API through Membrane's proxy ... `injects the correct authentication headers`
The integration routes requests and credentials through Membrane as a gateway/proxy. This is disclosed and aligned with the Membrane integration model, but it is sensitive.