← 返回 Skills 市场
613
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install md-table-image
功能描述
Render markdown tables as PNG images. Use whenever you need to send a table in chat — render it as an image instead of raw markdown text.
安全使用建议
This skill appears to perform the advertised function, but review and caution are recommended before installing. Key things to consider: 1) The renderer injects unsanitized HTML into a headless browser—do not feed untrusted markdown (or markdown that may include raw HTML) because scripts or remote-resource tags could run and trigger network requests. 2) The script hard-codes a macOS Chrome path and relies on puppeteer-core (no Chromium bundled), so you must ensure a compatible Chrome/Chromium is installed in a safe, sandboxed environment; on non-mac systems the path will fail. 3) The script launches Chrome with --no-sandbox which reduces process isolation; run it in an isolated container or VM if you must render untrusted content. If you plan to use this skill, either (a) sanitize or escape input before rendering, (b) remove/disable execution of raw HTML, or (c) run the tool in an isolated environment and update the executablePath to a managed Chromium installation. If you want me to, I can suggest code changes to properly escape HTML or to fetch a managed Chromium binary instead of using a hard-coded path.
功能分析
Type: OpenClaw Skill
Name: md-table-image
Version: 1.0.0
The skill is classified as suspicious due to a critical vulnerability in `scripts/render.mjs`. It directly embeds user-provided markdown content into HTML without proper sanitization, allowing for Cross-Site Scripting (XSS). More critically, Puppeteer is launched with `--no-sandbox` and `--disable-setuid-sandbox` flags, which disables the browser's security sandbox. This combination creates a severe Remote Code Execution (RCE) risk, as a malicious user could inject crafted HTML/JavaScript that, if exploited, could execute arbitrary code on the host system with the privileges of the OpenClaw agent, bypassing critical security protections.
能力评估
Purpose & Capability
The code matches the stated purpose: a Node script renders markdown to HTML and screenshots it with puppeteer-core. However the project depends on puppeteer-core (which requires an existing Chrome/Chromium) but the SKILL metadata only declares 'node' as a required binary. The script also hard-codes an executablePath to a macOS Chrome binary ('/Applications/Google Chrome.app/...'), which is platform-specific and not reflected in the skill metadata (OS restriction: none).
Instruction Scope
The script builds an HTML document by inserting processed markdown directly into page content without escaping or sanitizing raw HTML. mdToHtml only converts some markdown constructs and will allow raw HTML lines through (formatCell does not escape '<' or '>'). That means arbitrary <script> or <img src=...> tags in input could run in the headless browser or trigger network requests. The code uses page.setContent(..., { waitUntil: 'networkidle0' }), which will wait for network activity—so external requests can occur. This broadens scope beyond simple local rendering and could be used to cause SSRF-like requests or exfiltrate data from the environment accessible to the browser process if untrusted markdown is rendered.
Install Mechanism
There is no install spec; the skill is instruction-only even though package.json and package-lock.json are included. The dependency is puppeteer-core (no bundled Chromium). That means an operator must provide a compatible Chrome/Chromium binary and run npm install to satisfy deps. Lack of an install step and the macOS hard-coded path may cause surprises or misconfiguration on non-mac systems.
Credentials
The skill does not request environment variables or credentials. The absence of declared secrets is appropriate for the stated purpose. Note, however, that the headless browser will have process-level access (filesystem, network) subject to the runtime environment—this is not expressed as required config but is relevant to risk.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges or modify other skills. It does not persist configuration or request long-lived access to agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install md-table-image - 安装完成后,直接呼叫该 Skill 的名称或使用
/md-table-image触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: render markdown tables as styled PNG images via puppeteer-core + Chrome
元数据
常见问题
MD Table Image 是什么?
Render markdown tables as PNG images. Use whenever you need to send a table in chat — render it as an image instead of raw markdown text. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 613 次。
如何安装 MD Table Image?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install md-table-image」即可一键安装,无需额外配置。
MD Table Image 是免费的吗?
是的,MD Table Image 完全免费(开源免费),可自由下载、安装和使用。
MD Table Image 支持哪些平台?
MD Table Image 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MD Table Image?
由 kirorab(@kirorab)开发并维护,当前版本 v1.0.0。
推荐 Skills