Markdown to HTML Converter
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: markdown-to-html-converter Version: 1.0.0 The skill bundle is a comprehensive guide for converting Markdown to HTML using various industry-standard tools like marked.js, Pandoc, Hugo, and Jekyll. It provides legitimate CLI commands, code snippets, and configuration examples aligned with its stated purpose. Notably, it includes proactive security advice, such as recommending HTML sanitizers (e.g., DOMPurify, Bluemonday) and Pandoc's sandbox mode to mitigate XSS risks, with no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the setup examples may install third-party tools into the local development environment.
The skill documents installing an external Markdown converter package. This is user-directed and purpose-aligned, but users should trust the package source and version before installing global tools.
1. Ensure marked is installed: `npm install -g marked`
Install only from trusted package managers, consider pinning versions for repeatable builds, and avoid running global installs unless needed.
If run with the wrong paths, conversion scripts could create or overwrite generated HTML files.
The reference includes a local Node.js script workflow for batch conversion. Running local scripts is expected for this converter skill, but it can read files from the chosen input directory and write output files.
Run with: `node convert-all.js`
Review scripts and paths before running them, use a project-specific directory, and keep backups or version control for source documents.
Publishing or previewing untrusted Markdown as HTML without sanitization could expose viewers to unsafe embedded HTML.
The artifacts correctly note that Markdown conversion may produce unsafe HTML unless sanitized. This is a normal risk for Markdown renderers, especially with untrusted input.
**Important:** gomarkdown does not sanitize HTML output. Use Bluemonday for untrusted input:
Sanitize untrusted Markdown output with a tool such as Bluemonday or DOMPurify, or disable raw HTML where possible before publishing.