Use markdown-it to render Markdown to HTML
PassAudited by ClawScan on May 15, 2026.
Overview
This is a straightforward markdown-it reference skill, with only user-directed npm installation and code examples that users should apply carefully for untrusted Markdown.
Safe to use as a markdown-it reference. Before copying examples into production, verify npm packages, avoid unnecessary global installs, and sanitize or validate output when rendering Markdown from other users.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing npm packages can change the local Node.js environment, and a global install persists a CLI on the machine.
The skill instructs users to install a third-party npm package, including an optional global CLI install. This is expected for a markdown-it usage guide, but it still depends on npm package provenance and version selection.
npm install markdown-it ... npm install -g markdown-it
Install from the official npm package, prefer project-local installs over global installs when possible, and use a lockfile or pinned version for reproducible projects.
If adapted for untrusted Markdown, careless custom rendering could introduce unsafe HTML or embeds into the rendered page.
The custom renderer example emits raw iframe HTML based on a Markdown-supplied URL component. This is relevant because custom renderers can bypass markdown-it's default escaping if copied without additional validation.
const id = src.split('/').pop(); return `<div class="embed-responsive"><iframe src="//player.vimeo.com/video/${id}"></iframe></div>`;Keep `html: false` for untrusted Markdown, strictly validate or escape URL-derived values in custom renderers, and consider sanitizing final HTML before serving it.