ClawHub

Md Viewer

v1.0.2

LAN-accessible web viewer for Markdown files optimized for e-readers. Auto-binds to LAN IP for easy access. TRIGGER when user says "cho tôi xem", "show me",...

0· 108·0 current·0 all-time
by@hoangcongst

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hoangcongst/md-viewer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Md Viewer" (hoangcongst/md-viewer) from ClawHub.
Skill page: https://clawhub.ai/hoangcongst/md-viewer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install md-viewer

ClawHub CLI

Package manager switcher

npx clawhub@latest install md-viewer
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what the code and SKILL.md do: a local web server that renders .md files and generates LAN links. No unrelated credentials, binaries, or cloud services are requested.
Instruction Scope
SKILL.md instructs the agent to start a local server and generate LAN links rather than reading/summarizing file contents — this matches the code. The server necessarily reads markdown files to serve them (expected), but the skill does not instruct the agent to collect or transmit unrelated system data. Be aware the agent will instruct the local system to run a network-facing server.
Install Mechanism
No remote installers or downloads are used; code is bundled in the skill and dependencies are typical Python packages (markdown, bleach). No high-risk install URLs or archive extraction are present.
Credentials
The skill requests no environment variables or external credentials. It stores history to a file in the user's home directory and uses a generated password/token to protect access — these are proportionate and expected for its functionality.
Persistence & Privilege
always:false (no forced installation). The server writes a history file (~/.md-viewer-history.json) and creates a long-lived cookie (30 days) for convenience. It also binds to a LAN IP by default (network exposure), which is necessary for sharing but is a privileged network-facing behaviour to be aware of.
Assessment
This skill appears to be what it claims: a local LAN web viewer for .md files. Before installing, consider these practical security/privacy points: - Network exposure: the default behavior auto-binds to your LAN IP and opens a listening port (8765). Only run on trusted networks or use the --localhost option to restrict to loopback. - URL tokens: links include the password/token in the URL. Tokens in URLs can leak via browser referrers, logs, or chat messages. Treat links as sensitive and avoid sharing on untrusted systems. - Cookie lifetime & auth: the cookie is persistent (30 days). If someone can access the browser on a device that opened the link, they may gain access until the cookie expires. - History file: the server stores a history file (~/.md-viewer-history.json) that may include names/paths of viewed files. Use --no-history if you prefer not to persist that. - Path checks: the code blocks common sensitive paths/patterns, but path-blocking is based on string checks. If you have concerns, review server.py to confirm it resolves symlinks and enforces absolute paths before serving. - Sanitization: the code prefers bleach for sanitization; if bleach is not installed, it falls back to regex-based sanitization which is less robust. Install bleach (pip3 install bleach) to improve XSS protection. If you want to minimize risk: run with --localhost, use a strong custom password (--password), disable history (--no-history), and keep bleach installed. Review the bundled server.py yourself if you handle sensitive files.

Like a lobster shell, security has layers — review code before you run it.

latestvk977vdecs5hjwmqjzr1mbxxrts847rps
108downloads
0stars
2versions
Updated 3w ago
v1.0.2
MIT-0
@hoangcongst
latest
Download

MD Viewer

Key Principle

When user says "show me the file", "view this file":

  • ❌ DO NOT read and summarize the content
  • ✅ DO generate LAN link for user to view directly

User wants to VIEW the file themselves, not hear a summary.

Security Features

  • Only .md files - Blocks all other file types
  • Blocked paths - Cannot access /etc, ~/.ssh, ~/.gnupg, etc.
  • Password protection - Auto-generated password with cookie auth (30 days)
  • XSS protection - HTML sanitized with bleach library
  • CSP headers - Content Security Policy enforced
  • Auto LAN IP binding - Binds to LAN IP automatically
  • Link sharing - Token in URL for one-time access, saves cookie for future
  • No caching - Files always refresh on page reload

Workflow

Step 1: Start Server (Auto-generates password and binds to LAN)

python3 ~/.openclaw/skills/md-viewer/scripts/server.py

Output:

============================================================
📄 MD Viewer Server Started
============================================================
Local:    http://localhost:8765
Network:  http://10.0.10.93:8765
------------------------------------------------------------
🔐 Password: a1b2c3d4e5f6
   ⚠️  SAVE THIS PASSWORD - Required for login!
============================================================

Step 2: Share Link

Links include password token for easy sharing:

http://10.0.10.93:8765/view?path=/path/to/file.md&token=PASSWORD

Step 3: Access

  1. Click link → Auto-authenticated via token
  2. Password saved to cookie (30 days)
  3. Future visits → Auto-authenticated via cookie

Server Options

python3 ~/.openclaw/skills/md-viewer/scripts/server.py [options]

Options:
  --host HOST          Host to bind (default: auto-detect LAN IP)
  --port PORT          Port (default: 8765)
  --password PASSWORD  Custom password (auto-generated if not set)
  --no-history         Disable history tracking for privacy
  --localhost          Bind to localhost only (no LAN access)

Blocked Paths

Automatically blocked:

  • System: /etc, /proc, /sys, /dev, /var/log
  • SSH: ~/.ssh/, id_rsa, id_dsa, etc.
  • GPG: ~/.gnupg/
  • Cloud: ~/.aws/, ~/.gcp/
  • Passwords: .netrc, .pgpass, .env
  • Certs: .pem, .key, .p12, .pfx

Features

  • Light theme (e-ink optimized)
  • Serif fonts for comfortable reading
  • High contrast for e-readers
  • Syntax highlighting
  • Mobile-friendly UI
  • History tracking (50 files, enabled by default)
  • Cookie-based authentication (30 days)
  • XSS protection with bleach
  • Auto LAN IP binding

Dependencies

pip3 install markdown bleach

Resources

scripts/

  • server.py - Web server with security features
  • md-link.py - Link generator helper

Comments

Loading comments...