Rendshot
AdvisoryAudited by VirusTotal on Apr 14, 2026.
Overview
Type: OpenClaw Skill Name: rendshot Version: 1.0.0 The 'rendshot' skill is a legitimate tool for generating images from HTML/CSS, templates, or AI prompts, and for taking website screenshots via the Rendshot API (api.rendshot.com). The provided documentation (SKILL.md, api-endpoints.md, mcp-tools.md) is consistent with its stated purpose and contains no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent can make Rendshot API requests using the user's account credentials.
The fallback API path uses a Rendshot bearer token. This is purpose-aligned for an external rendering service, but it grants account/quota access and should be handled as a sensitive credential.
Authentication: `Authorization: Bearer rs_live_xxx` ... `-H "Authorization: Bearer $RENDSHOT_API_KEY"`
Use a dedicated Rendshot API key if possible, keep it out of prompts and shared files, and rotate it if exposed.
Private HTML, unpublished designs, internal URLs, or sensitive page content could be shared with Rendshot if the user asks the agent to render them.
The documented API sends HTML, prompts, template variables, or URLs to Rendshot's external service for rendering or screenshotting. This is expected for the skill but creates an external data boundary.
Base URL: `https://api.rendshot.com` ... `POST /v1/image` ... `"html": "<div style=\"...\">Hello</div>"` ... `POST /v1/screenshot` ... `"url": "https://example.com"`
Avoid sending sensitive or internal pages unless you trust Rendshot's handling of the data; consider a self-hosted endpoint for confidential content.
If the user installs the optional CLI or SDKs, they rely on external package registries and the package maintainers.
The fallback CLI/SDK path documents installing external packages without pinning versions. These are optional and purpose-aligned, not automatically executed by the skill.
Install: `npm install -g rendshot` ... Install: `npm install @rendshot/sdk` ... Install: `pip install rendshot`
Install only from trusted registries, verify the package identity, and pin versions where possible.
Generated HTML or designs may be stored in the Rendshot account, and public visibility could expose a template if selected.
The skill can create persistent templates in the user's Rendshot account and includes a public visibility option. This is aligned with the template workflow and defaults to private.
`create_template` ... `Save a template for reuse. Created as private draft.` ... `visibility` | `"public"|"private"` | `"private"`
Confirm before creating templates, keep visibility private unless publishing is intentional, and avoid storing sensitive content in templates.