MD Table Image

The skill is classified as suspicious due to a critical vulnerability in `scripts/render.mjs`. It directly embeds user-provided markdown content into HTML without proper sanitization, allowing for Cross-Site Scripting (XSS). More critically, Puppeteer is launched with `--no-sandbox` and `--disable-setuid-sandbox` flags, which disables the browser's security sandbox. This combination creates a severe Remote Code Execution (RCE) risk, as a malicious user could inject crafted HTML/JavaScript that, if exploited, could execute arbitrary code on the host system with the privileges of the OpenClaw agent, bypassing critical security protections.