Baoyu Markdown To Html
v1.76.2Converts Markdown to styled HTML with WeChat-compatible themes. Supports code highlighting, math, PlantUML, footnotes, alerts, infographics, and optional bot...
⭐ 0· 959·34 current·34 all-time
byJim Liu 宝玉@jimliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Markdown → styled HTML) matches the included scripts and vendor renderer. Requesting bun or npx is reasonable because the skill executes the bundled TypeScript files. No unrelated binaries, credentials, or config paths are required.
Instruction Scope
Runtime instructions require reading the input markdown file and optional EXTEND.md config files from project, XDG, and user locations (and may check another skill's EXTEND.md for theme fallback). They may invoke another formatting skill when asked and will execute the bundled script (${BUN_X} {baseDir}/scripts/main.ts). This file I/O and cross-skill config lookup is explained by the purpose, but it does mean the skill will read files under your home and project directories and may download/resolve remote images referenced in the markdown — review if you are concerned about local config access or outbound image fetching.
Install Mechanism
No network install/spec is used; the skill is instruction-only for execution but bundles local source files. Execution uses local bun or an npx-wrapped bun invocation. There is no download-from-arbitrary-URL install step in the spec.
Credentials
The skill declares no required environment variables or credentials. It does read common config locations (HOME, XDG_CONFIG_HOME) to find EXTEND.md files, which is proportionate for user-configurable themes and preferences.
Persistence & Privilege
Skill is not always-enabled and is user-invocable. It can be invoked autonomously by the agent (default platform behavior). Combined with file reads in the user's home and cross-skill EXTEND.md checks, this means an autonomous run could access those config files and process markdown without an extra explicit install step — this is expected but worth noting.
Assessment
This skill appears to do what it claims: convert Markdown to styled HTML using the bundled TypeScript renderer. Before installing or allowing autonomous runs, consider the following:
- Review the bundled scripts if you want to be certain there are no unexpected network endpoints or data-exfiltration logic (the skill may fetch remote images referenced by your markdown). The source is included in the package so a quick scan for network calls in resolveContentImages/renderer will clarify behavior.
- The skill reads EXTEND.md in your project and user config locations, and will check another skill's EXTEND.md as a fallback for theme preference — ensure you're comfortable with those files being read.
- Execution requires bun (or npx as a wrapper); ensure you trust running the bundled code via those runtimes in your environment or run it in a sandboxed/isolated environment if you prefer.
- If you want to avoid any automatic file reads or outbound requests, run the converter manually on a copy of your markdown and inspect generated HTML rather than enabling autonomous invocation.
Overall the package is internally consistent with its stated purpose; if you have low tolerance for any automatic file access or remote image fetching, inspect the code paths mentioned above or run the tool in a controlled environment.Like a lobster shell, security has layers — review code before you run it.
latestvk9783kwvzw47ttccq1hqqkhza583kjca
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Any binbun, npx