← Back to Skills Marketplace
138
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install md2img
Description
Convert Markdown (inline text or a `.md` file path) into a single PNG image using local code (Markdown -> HTML -> headless browser screenshot). Use when the...
Usage Guidance
This skill appears coherent for converting Markdown to a single PNG, but consider the following before installing or running it: (1) The script will fetch remote images referenced in the Markdown (HTTP(S) GETs with a custom User-Agent) and will read local image files referenced by paths in the Markdown — so embedding attacker-controlled URLs will cause outbound requests that reveal your machine's IP to those hosts. (2) The SKILL.md recommends installing playwright and running `playwright install chromium`, which will download Chromium — perform this in a sandboxed environment or VM if you are cautious. (3) If `bleach` is not installed the script falls back to a weaker regex-based sanitizer; for safer handling of untrusted Markdown, install bleach. (4) Avoid running this with elevated privileges and don't point it at Markdown that references sensitive local files you don't want read. If these behaviors are acceptable, the skill is coherent and usable.
Capability Analysis
Type: OpenClaw Skill
Name: md2img
Version: 1.0.0
The skill provides Markdown-to-PNG conversion but contains a significant vulnerability in `scripts/md_to_png.py`. The `_inline_images_in_html` function allows reading and inlining arbitrary local files (LFI) and making outbound HTTP requests (SSRF) via the `src` attribute of `<img>` tags. Specifically, it explicitly resolves absolute filesystem paths (e.g., `/etc/passwd`), which could be exploited to exfiltrate sensitive system data by rendering it into the output image. While the script uses the `bleach` library for HTML sanitization, the subsequent image processing logic bypasses protocol restrictions for local file access.
Capability Assessment
Purpose & Capability
The name/description (Markdown -> PNG via local headless browser) aligns with the included script and SKILL.md. Required binary is only python3 (declared) and the script performs Markdown->HTML->screenshot as described.
Instruction Scope
SKILL.md and the script are consistent: inline Markdown is written to a temp file, .md file inputs are used directly, output path handling and single fullPage PNG behavior are enforced. The script will read local files referenced by <img src=...> (absolute or relative) and will perform HTTP(S) GETs to inline remote images. These network/local-file reads are coherent with the stated 'inline images as base64' behavior but are notable for privacy/exfiltration considerations (remote image hosts receive GETs).
Install Mechanism
This is an instruction-only skill (no automated install steps). The SKILL.md instructs creating a Python virtualenv and installing packages (markdown, bleach, pygments, playwright) and running `playwright install chromium`. Those are reasonable for the stated functionality but will download third-party packages and Chromium when followed.
Credentials
No environment variables, credentials, or config paths are requested. The script accesses local filesystem paths referenced by the user-provided .md (expected) and may read image files referenced in the Markdown. No unrelated credentials or secrets are requested.
Persistence & Privilege
always is false and the skill doesn't request persistent/privileged presence. It does not modify other skills or system-wide configuration. The runtime behavior (creating/removing a temp dir for inline input) is documented.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install md2img - After installation, invoke the skill by name or use
/md2img - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of md2img.
- Converts Markdown (inline text or `.md` file path) to a single PNG image using a headless browser.
- Supports both inline Markdown text and file path inputs.
- Ensures output is always a single PNG file to a user-specified path or default filename.
- Optional mobile-friendly rendering via adjustable image width.
- Basic dark mode support using system/browser preferences.
Metadata
Frequently Asked Questions
What is md2img?
Convert Markdown (inline text or a `.md` file path) into a single PNG image using local code (Markdown -> HTML -> headless browser screenshot). Use when the... It is an AI Agent Skill for Claude Code / OpenClaw, with 138 downloads so far.
How do I install md2img?
Run "/install md2img" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is md2img free?
Yes, md2img is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does md2img support?
md2img is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created md2img?
It is built and maintained by JuneBao (@520mianxiangduixiang520); the current version is v1.0.0.
More Skills