ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Use agentbrowser to convert html to image

Takes a URL, HTML file path, or raw HTML code and generates a printable image.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 178 · 1 current installs · 1 all-time installs
by@upwell
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the implementation (render URL/file/code -> image). However the runtime script depends on the 'npx' / Node toolchain (it runs npx --yes agent-browser) and network access to fetch packages, yet the skill metadata declares no required binaries or install steps. That omission is incoherent: a legitimate implementer should declare Node/npx as required or vendor the renderer.
Instruction Scope
Instructions and the script stay within the stated task: open a URL or local file or a temp HTML file and take a screenshot. The script reads local files (file:// handling) and writes temp files and an output file in the current working directory, which is expected. Two minor but important issues: (1) on error the script echoes the full constructed command (including the target URL), which can leak credentials embedded in URLs; (2) accepting raw HTML via CLI and writing it into a temp file without sanitization is expected for this task but should be noted for privacy and injection considerations.
!
Install Mechanism
No install spec is provided, but the script uses npx --yes to fetch and run 'agent-browser' at runtime. npx will download and execute code from the npm registry (or cache) — this is effectively executing remote code on-demand. That is proportional to the purpose only if 'agent-browser' is trusted and pinned; using npx --yes without pinning or an explicit install spec increases risk of supply-chain or remote-code execution.
Credentials
The skill does not request environment variables or credentials in metadata, which is appropriate. Note: because the script prints the constructed command on failure, secrets embedded in target URLs (e.g., https://user:pass@host) could be revealed in error output.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or elevated platform privileges. It only writes temp files and an 'output' directory under the current working directory and cleans up temp HTML files; that scope is proportional.
What to consider before installing
This skill appears to perform the advertised task, but exercise caution before installing or running it: - The script calls 'npx --yes agent-browser' at runtime, which will download and execute code from npm. Only proceed if you trust the 'agent-browser' package and the npm environment, or modify the skill to pin a known-safe version or vendor the renderer. - The metadata does not declare that Node/npx are required; ensure your environment has Node and npx if you intend to use it. - Avoid passing URLs that contain credentials (user:pass@host) because the script may echo the constructed command on error and leak those credentials. - The skill can access local files (it accepts absolute file paths). Do not allow it to run on sensitive filesystem paths unless you trust the environment and the renderer. Recommended mitigations: pin or vendor the agent-browser executable, declare Node/npx as required binaries in metadata, remove or sanitize command-string output on error, and run the skill in a restricted/sandboxed environment if you cannot fully trust npm package provenance.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971rwwsyq7fx3cnnn9c91dd8n82d8xz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

HTML to Image Skill (via agent-browser)

This skill utilizes OpenClaw's agent-browser composition to render a URL, local HTML file, or raw HTML string into an image. It executes a lightweight Bash script wrapper.

Usage Guide

When using this skill to generate an image, provide the source_type and source_content.

  • source_type: The content format (url, file, or code).
  • source_content: The target URL, absolute file path, or HTML code block.
  • format: The desired image format (png, jpeg, or webp). Default is png.
  • width: The width of the browser viewport. Default is 1200px.
  • full_page: Set to true to take a full page screenshot instead of just the viewport.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…