Rendshot
PassAudited by ClawScan on May 10, 2026.
Overview
Rendshot is a coherent image and screenshot skill, but using it may send HTML, prompts, URLs, and an API key to Rendshot or require optional package installs.
This skill appears safe to install for Rendshot image generation and screenshots. Before use, decide whether you trust Rendshot with the HTML, prompts, URLs, and templates you provide; configure API keys carefully; verify any optional npm or pip packages; and approve template creation or public visibility explicitly.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent can make Rendshot API requests using the user's account credentials.
The fallback API path uses a Rendshot bearer token. This is purpose-aligned for an external rendering service, but it grants account/quota access and should be handled as a sensitive credential.
Authentication: `Authorization: Bearer rs_live_xxx` ... `-H "Authorization: Bearer $RENDSHOT_API_KEY"`
Use a dedicated Rendshot API key if possible, keep it out of prompts and shared files, and rotate it if exposed.
Private HTML, unpublished designs, internal URLs, or sensitive page content could be shared with Rendshot if the user asks the agent to render them.
The documented API sends HTML, prompts, template variables, or URLs to Rendshot's external service for rendering or screenshotting. This is expected for the skill but creates an external data boundary.
Base URL: `https://api.rendshot.com` ... `POST /v1/image` ... `"html": "<div style=\"...\">Hello</div>"` ... `POST /v1/screenshot` ... `"url": "https://example.com"`
Avoid sending sensitive or internal pages unless you trust Rendshot's handling of the data; consider a self-hosted endpoint for confidential content.
If the user installs the optional CLI or SDKs, they rely on external package registries and the package maintainers.
The fallback CLI/SDK path documents installing external packages without pinning versions. These are optional and purpose-aligned, not automatically executed by the skill.
Install: `npm install -g rendshot` ... Install: `npm install @rendshot/sdk` ... Install: `pip install rendshot`
Install only from trusted registries, verify the package identity, and pin versions where possible.
Generated HTML or designs may be stored in the Rendshot account, and public visibility could expose a template if selected.
The skill can create persistent templates in the user's Rendshot account and includes a public visibility option. This is aligned with the template workflow and defaults to private.
`create_template` ... `Save a template for reuse. Created as private draft.` ... `visibility` | `"public"|"private"` | `"private"`
Confirm before creating templates, keep visibility private unless publishing is intentional, and avoid storing sensitive content in templates.