← 返回 Skills 市场
408
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install markdown-canvas
功能描述
Convert markdown files to beautiful HTML pages suitable for Canvas display or browser viewing. Use when user asks to render, visualize, display, or share mar...
安全使用建议
This skill does what it says (convert .md → .html) and only needs python3, but it has a security bug: the converter inserts most markdown output into the template without escaping or sanitizing it. That means a malicious or untrusted .md file could inject HTML (including <script> tags) or use javascript: links that execute when the output is opened or shared. Before installing or using on untrusted content: (1) avoid opening or publishing generated HTML from untrusted sources; (2) prefer or request that the author add proper escaping/sanitization (use a well-maintained Markdown library + an HTML sanitizer such as Python's markdown + bleach, or ensure process_inline_formatting applies escape_html before inserting text and validate/sanitize URLs); (3) review or test the script locally with representative inputs; (4) consider using established tooling that enforces safe defaults. If you only convert trusted personal notes, the risk is lower, but heed caution when sharing or running on external markdown.
功能分析
Type: OpenClaw Skill
Name: markdown-canvas
Version: 1.0.2
The `scripts/convert.py` file contains a critical Cross-Site Scripting (XSS) vulnerability. The `convert_markdown_to_html` function does not properly sanitize or escape user-provided markdown content before injecting it into the `{{CONTENT}}` placeholder in `assets/template.html`. This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML page by including raw HTML tags (e.g., `<script>alert('XSS')</script>`) in the input markdown file. This is a severe vulnerability, but there is no evidence of intentional malicious behavior like data exfiltration or persistence.
能力评估
Purpose & Capability
Name, description, SKILL.md, package.json, template, and the convert.py script all align: this is a simple local Markdown→HTML renderer that requires only python3. Required binaries/env/configs are proportionate.
Instruction Scope
SKILL.md limits runtime actions to running scripts/reading the template and optionally opening or pushing the generated file. However, convert.py does not escape or sanitize most user-provided markdown content (headers, paragraphs, links, inline formatting are injected directly into the template). Only code blocks are escaped. That can produce HTML containing raw tags or javascript: links and enable XSS or unexpected script execution when opening or sharing the output.
Install Mechanism
Instruction-only skill with no install spec; only requires python3 on PATH. No downloads or archive extraction present.
Credentials
No environment variables, no credentials, and no config paths requested. The skill does not ask for unrelated secrets or system credentials.
Persistence & Privilege
always:false and no installation hooks are present. The skill does not request persistent/system-level privileges or modify other skills' configuration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install markdown-canvas - 安装完成后,直接呼叫该 Skill 的名称或使用
/markdown-canvas触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Add GitHub repository and homepage links
v1.0.1
Add package.json, LICENSE, and update contact links (Jike, GitHub)
v1.0.0
Initial release
元数据
常见问题
Markdown Canvas 是什么?
Convert markdown files to beautiful HTML pages suitable for Canvas display or browser viewing. Use when user asks to render, visualize, display, or share mar... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 408 次。
如何安装 Markdown Canvas?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install markdown-canvas」即可一键安装,无需额外配置。
Markdown Canvas 是免费的吗?
是的,Markdown Canvas 完全免费(开源免费),可自由下载、安装和使用。
Markdown Canvas 支持哪些平台?
Markdown Canvas 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Markdown Canvas?
由 jingyu525(@jingyu525)开发并维护,当前版本 v1.0.2。
推荐 Skills