将 Markdown 文档转换为精美 PNG 图片。当用户要求将 markdown 文件、markdown 文本转成图片、截图、png 时触发。支持多种主题(note/dark/sakura/ocean/tech 等)和尺寸(mobile/tablet/laptop/desktop
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for converting Markdown to PNG, with scoped local file use, but users should notice it runs a local npm CLI through Bash and may require a global npm package install.
This appears safe for its stated purpose. Before installing, confirm you trust md2png-cli@1.0.2, run it only in the working directory containing the Markdown you want converted, and use simple relative filenames for inputs and outputs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
To use the skill, the user may need to install and trust a global npm package that will execute locally.
The skill relies on an external npm package that is not represented in an install spec. The version is pinned and the skill says not to auto-download it, so this is a supply-chain notice rather than a concern.
提示用户先运行以下命令安装后再重试: `npm install -g md2png-cli@1.0.2`
Install md2png-cli only from a trusted npm source, keep the pinned version, and consider declaring the dependency in metadata or an install spec.
Unusual filenames or poorly quoted arguments could cause command failures or unintended shell behavior.
The skill runs a Bash command using user-selected input and output values. It includes whitelist and path checks, but safe execution still depends on treating filenames as data and not as shell fragments.
`npx --no-install md2png-cli <输入文件路径> -t <主题> -s <尺寸> -o <输出文件名>`
Use simple relative filenames, keep the output filename whitelist, and ensure all command arguments are quoted or otherwise passed safely.
The skill can execute the local md2png CLI and create or remove files in the current directory.
The skill is authorized to run local shell commands and read/write files. This is expected for a local Markdown renderer, and the instructions limit it to the current working directory and use `--no-install` to avoid runtime downloads.
allowed-tools: Bash, Read, Write, Glob
Use it in a project directory where creating PNG output and temporary Markdown files is acceptable.