Markdown Viewer
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for a live Markdown viewer, but users should be aware that it installs a global npm package and runs a localhost server that can read local files by path.
This appears to be a legitimate local Markdown preview helper. Before installing, verify the npm package/source, run the server only when needed, and prefer `mdview --root <your-project>` so the viewer is limited to the files you intend to preview.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used without --root, the local viewer may display any file path it is asked to open, so users should avoid exposing unintended sensitive files.
The viewer needs file access to render Markdown, but the documented path parameter can read local files unless the user starts the server with a root restriction.
The `/view?path=` parameter reads files from your local filesystem. Use `--root <dir>` to restrict access to a specific directory tree.
Start the server with `--root <project-dir>` when possible and only open files you intend to view.
Installing the package gives that npm package local code execution through the `mdview` command.
The skill relies on a globally installed npm package, while the provided artifacts contain only SKILL.md and no package source code.
npm install -g @wipcomputer/markdown-viewer
Verify the npm package and linked GitHub repository before installing, and install from a trusted version.
The server will keep running in the background until stopped and will occupy the configured local port.
The quick start launches the `mdview` server as a background process, which is expected for a live preview tool but still affects the local runtime environment.
curl -s http://127.0.0.1:3000/ > /dev/null 2>&1 || mdview &
Run the server intentionally, confirm the port and root directory, and stop it when finished.
Users may underestimate the normal trust decision involved in installing a third-party CLI package.
This is a broad safety claim about supply-chain risk, even though the user is still asked to install and run an npm package.
Zero npm dependencies. No supply chain risk beyond Node.js itself.
Treat the package installation as a normal third-party software install despite the low-dependency claim.