Markdown Editor With Chat
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: markdown-editor-with-chat Version: 1.1.2 The skill is classified as suspicious due to a client-side Cross-Site Scripting (XSS) vulnerability in the custom markdown renderer within `scripts/index.html`. The `renderMarkdown` function directly embeds user-controlled `href` values from markdown links into `<a>` tags without sanitizing the protocol, allowing `javascript:` URLs to execute arbitrary code in the user's browser. Additionally, the chat feature presents a prompt injection risk against the OpenClaw gateway AI, as it sends the current markdown file content as context, which could be manipulated by a malicious user to influence AI responses. While server-side security measures are robust (e.g., path traversal protection, host binding to localhost/private IPs), the client-side XSS is a significant vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted local request could potentially list, read, or save markdown files outside the folder the user intended to expose.
The filesystem boundary is enforced with a raw string-prefix check. A sibling directory whose path starts with the same prefix as MARKDOWN_DIR can pass this style of check, weakening the advertised path-traversal protection.
const resolved = path.resolve(MARKDOWN_DIR, requestedPath); if (!resolved.startsWith(path.resolve(MARKDOWN_DIR))) { return null; }Fix safePath to compare canonical paths with path.relative and reject absolute paths, '..' traversal, and separator-confused prefixes. Until fixed, use a dedicated non-sensitive MARKDOWN_DIR and keep the server bound to 127.0.0.1.
If chat is enabled, anyone who can reach the local server's chat endpoint may be able to make gateway-backed chat requests through the configured token.
The skill reads an OpenClaw gateway token from the environment and uses it as a Bearer token for chat requests. This is disclosed and purpose-aligned, but it is still delegated account/service authority.
const GATEWAY_TOKEN = process.env.OPENCLAW_GATEWAY_TOKEN || ''; ... 'Authorization': `Bearer ${GATEWAY_TOKEN}`Use a limited gateway token, keep the server on localhost unless you intentionally trust the network, and unset the token when chat is not needed.
Text you send to the chat panel, and any document content you paste into it, may be processed by the configured gateway.
Chat messages are proxied to the configured OpenClaw gateway. This is expected for the optional chat feature, but it means chat content leaves the editor process and is sent to that gateway.
body: JSON.stringify({ model: 'default', messages, stream: false })Only configure a trusted gateway URL and avoid sending sensitive markdown content unless that gateway is appropriate for it.