Xhs Md2img
Analysis
This skill is coherent for turning Markdown into XHS-style card images, but it uses external AI/image services, API keys, browser rendering, and optional cloud-hosted outputs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Launch browser in headless mode. ... Capture each card element separately.
Headless browser rendering is central to the skill's screenshot purpose, but browser-based rendering of user-supplied Markdown should be implemented carefully.
httpx>=0.24.0 openai>=1.0.0 playwright>=1.40.0 oss2>=2.18.0
The package list includes network, LLM, browser automation, and cloud storage libraries with lower-bound versions; no automatic install is specified.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Headers:
Authorization: Bearer {DASHSCOPE_API_KEY}The skill uses a provider API key to call DashScope for image generation, which is expected for AI backgrounds but still grants use of the user's provider account and quota.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Both providers receive an enhanced prompt that enforces subtlety
The documentation discloses that generated prompts are sent to external image providers; this is purpose-aligned but means content-derived data can leave the local environment.
"url": "https://...",
"oss_uploaded": true
...
If OSS is not configured, return `data_uri` for each page.The output contract allows generated cards to be returned as hosted URLs when object storage is configured, otherwise as data URIs.