ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Markdown Canvas

v1.0.2

Convert markdown files to beautiful HTML pages suitable for Canvas display or browser viewing. Use when user asks to render, visualize, display, or share mar...

0· 369·0 current·0 all-time
by@jingyu525
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, package.json, template, and the convert.py script all align: this is a simple local Markdown→HTML renderer that requires only python3. Required binaries/env/configs are proportionate.
!
Instruction Scope
SKILL.md limits runtime actions to running scripts/reading the template and optionally opening or pushing the generated file. However, convert.py does not escape or sanitize most user-provided markdown content (headers, paragraphs, links, inline formatting are injected directly into the template). Only code blocks are escaped. That can produce HTML containing raw tags or javascript: links and enable XSS or unexpected script execution when opening or sharing the output.
Install Mechanism
Instruction-only skill with no install spec; only requires python3 on PATH. No downloads or archive extraction present.
Credentials
No environment variables, no credentials, and no config paths requested. The skill does not ask for unrelated secrets or system credentials.
Persistence & Privilege
always:false and no installation hooks are present. The skill does not request persistent/system-level privileges or modify other skills' configuration.
What to consider before installing
This skill does what it says (convert .md → .html) and only needs python3, but it has a security bug: the converter inserts most markdown output into the template without escaping or sanitizing it. That means a malicious or untrusted .md file could inject HTML (including <script> tags) or use javascript: links that execute when the output is opened or shared. Before installing or using on untrusted content: (1) avoid opening or publishing generated HTML from untrusted sources; (2) prefer or request that the author add proper escaping/sanitization (use a well-maintained Markdown library + an HTML sanitizer such as Python's markdown + bleach, or ensure process_inline_formatting applies escape_html before inserting text and validate/sanitize URLs); (3) review or test the script locally with representative inputs; (4) consider using established tooling that enforces safe defaults. If you only convert trusted personal notes, the risk is lower, but heed caution when sharing or running on external markdown.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📝 Clawdis
Binspython3
latestvk976ds2v99p9dcqsbmhxbbser1827tdj
369downloads
0stars
3versions
Updated 22h ago
v1.0.2
MIT-0
@jingyu525
latest
Download

Markdown Canvas Renderer

Convert markdown files into beautiful, shareable HTML pages with zero external dependencies.

Quick Start

When a user wants to render a markdown file:

  1. Run the conversion script:

    python3 scripts/convert.py <path/to/file.md>

  2. Open in browser (if no Canvas node available):

    open <output.html>

  3. Or push to Canvas (if node paired):

    canvas present file://<output.html>

Usage Examples

Basic conversion

# Converts ai-landscape-2026.md → ai-landscape-2026.html
python3 scripts/convert.py ai-landscape-2026.md

Custom output path

python3 scripts/convert.py input.md -o /path/to/output.html

Custom page title

python3 scripts/convert.py notes.md -t "My Research Notes"

Supported Markdown Features

The converter handles:

  • Headers (# through ######)
  • Bold (**text** or __text__)
  • Italic (*text* or _text_)
  • Code blocks (language ... )
  • Inline code (code)
  • Links ([text](url))
  • Lists (unordered: - , * , + )
  • Horizontal rules (---, ***, ___)

Design Philosophy

Token efficiency: Template is pre-built; only markdown content flows through the context window.

Zero dependencies: Pure Python + self-contained HTML template with embedded CSS.

Progressive enhancement: Works offline, no CDN required, renders instantly.

Workflow

  1. User requests markdown rendering
  2. Run scripts/convert.py on their file
  3. Script reads assets/template.html
  4. Script converts markdown → HTML
  5. Script injects HTML into template
  6. Output saved alongside source (or custom path)
  7. Open in browser OR push to Canvas

Token Cost Analysis

Per conversion:

  • Read SKILL.md: ~500 tokens (first time only)
  • Execute script: ~100 tokens
  • Report result: ~50 tokens

Total: ~650 tokens vs ~8000 tokens for generating full HTML each time.

Output Location

By default, output is saved next to the input file:

  • notes.mdnotes.html
  • /path/to/doc.md/path/to/doc.html

Use -o flag to specify custom location.

Comments

Loading comments...