MD Table Image
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is generally aligned with rendering tables, but it renders unescaped markdown inside an unsandboxed browser, which could let malicious table content run or load web content during image creation.
Review this skill before installing if it may process untrusted table content. It should escape markdown content and avoid unsandboxed browser rendering; otherwise, use it only for trusted tables and safe output paths.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed, tables may be sent as image attachments instead of editable markdown text.
This explicitly changes the agent's default behavior for table responses. It is clearly disclosed and matches the stated purpose, so it is a notice rather than a concern.
**Always** use this skill when sending tables to chat. Render the table as an image and send the image instead of raw markdown.
Install only if you want this response-format change; otherwise invoke it manually when an image table is actually needed.
A crafted table or title could cause the renderer's browser to run unexpected web content, contact external or local network resources, or rely on weakened browser isolation.
Markdown cells and the title are inserted into HTML without HTML escaping, then rendered in Chrome with the browser sandbox disabled. Malicious markdown or title text could become active HTML/JavaScript or trigger remote resource loads during rendering.
html += '<tr>' + cells.map(c => `<${tag}>${formatCell(c)}</${tag}>`).join('') + '</tr>'; ... ${values.title ? `<div class="title">${values.title}</div>` : ''} ... await page.setContent(htmlContent, { waitUntil: 'networkidle0' }); ... args: ['--no-sandbox', '--disable-setuid-sandbox']Escape all user-supplied markdown/title text before building HTML, disable JavaScript or block network requests during rendering, and avoid running Chrome with --no-sandbox unless absolutely required.
The skill may fail or require npm dependencies and a compatible Chrome installation even though the registry metadata only lists node.
The skill is described as having no install spec and only requiring node, but it includes an npm dependency and runtime code that imports puppeteer-core. This dependency is purpose-aligned for browser screenshots, and a package-lock is present, but users should be aware of the additional runtime requirement.
"dependencies": { "puppeteer-core": "^24.37.5" }Document the required npm install process and Chrome requirement, and keep dependency versions pinned through the lockfile.