← 返回 Skills 市场
MD to Mobile Image
作者
nowhere1975
· GitHub ↗
· v2.0.0
· MIT-0
155
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install md-to-image
功能描述
Convert Markdown files into high-contrast, mobile-friendly PNG images optimized for Telegram and social media sharing.
安全使用建议
This tool appears to do what it says, but take these precautions before installing or running it:
- Verify and fix the dependency mismatch: Playwright is required at runtime but not listed in package.json. Ask the author to add playwright (and ideally a clear install section) or install Playwright yourself and its browsers before running.
- Prefer installing packages from an official registry. The package-lock references registry.npmmirror.com; confirm you trust that mirror or regenerate a lockfile using the official npm registry.
- Treat input markdown as potentially untrusted: marked allows raw HTML, and the code loads the produced HTML into a real browser which will fetch and execute external resources. If you will convert untrusted markdown, run the tool in a network-isolated sandbox or modify the code to sanitize HTML (disable raw HTML in marked or run a sanitizer) and/or disable network access in Playwright.
- Because Playwright launches Chromium, run the tool on a machine where installing large browser binaries is acceptable and sandboxed.
If you want to proceed, ask the author for an updated package.json including playwright, clear install steps, and a note about network behavior; otherwise run the script in an isolated environment or container to limit exposure.
功能分析
Type: OpenClaw Skill
Name: md-to-image
Version: 2.0.0
The skill bundle provides a utility to convert Markdown files into images using Playwright and marked.js. However, the implementation in `md-to-image.js` lacks input sanitization when converting Markdown to HTML and rendering it via `page.setContent()`. This vulnerability could allow for local file disclosure (LFI) or SSRF if the agent is tasked with processing a maliciously crafted Markdown file. Per the evaluation criteria, the lack of input sanitization in a high-risk execution context (headless browser) warrants a suspicious classification.
能力评估
Purpose & Capability
The script implements the described feature (marked → HTML → Playwright screenshot) and writes PNGs to /tmp as expected. However the SKILL.md and code require Playwright at runtime while package.json does not list playwright as a dependency — that mismatch means installation instructions are incomplete and the tool will fail unless Playwright is installed separately. package-lock entries resolve via registry.npmmirror.com (a mirror) rather than the official npm registry, which is unusual and worth verifying.
Instruction Scope
SKILL.md instructs running the CLI against a Markdown file; the implementation reads only the provided file and writes to /tmp. But the code uses marked (which by default allows raw HTML) and then does page.setContent(..., {waitUntil: 'networkidle'}) in Playwright. That will cause the headless browser to load/execute any external resources referenced in the generated HTML (images, fonts, scripts). If the Markdown contains embedded HTML or remote resources, the page can make outbound network requests. This is scope creep relative to a purely offline conversion and could expose your environment's IP to remote hosts or cause other network activity. There is no explicit sanitization of HTML in the code.
Install Mechanism
No install spec is provided. package.json declares only marked and highlight.js, but the runtime requires playright/chromium which is large and platform-specific and typically needs its own install step. The package-lock resolves packages from registry.npmmirror.com (a third-party mirror) — not inherently malicious but atypical; installation behavior is unspecified and may require manual steps (installing Playwright and browsers).
Credentials
The skill requests no environment variables, credentials, or config paths. The filesystem access is limited to reading the user-provided markdown file and writing output PNG(s) to /tmp/md-to-img, which is proportionate to its purpose.
Persistence & Privilege
always: false and no indication the skill persists or modifies other agent/system settings. It creates a local temporary output directory (/tmp/md-to-img) for results, which is normal for a CLI utility.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install md-to-image - 安装完成后,直接呼叫该 Skill 的名称或使用
/md-to-image触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
No significant changes in this version.
- No file changes detected.
- Documentation, usage instructions, and technical details remain the same.
v1.1.0
No changes detected in this version.
- The SKILL.md content remains unchanged from the previous version.
- No file changes were identified.
v1.0.2
Version 1.0.2 of md-to-image
- No file changes detected in this release.
- Documentation and usage remain unchanged.
v1.0.1
- No changes detected in this version.
- Documentation and functionality remain unchanged.
v1.0.0
Initial release of md-to-image.
- Convert Markdown files into visually appealing mobile-optimized long PNG images.
- Output images at 1080px width, auto height, with high-contrast, large font on white background.
- Ensures clarity even after compression on platforms like Telegram.
- Usage: md-to-image <md文件路径>
- Built with Node.js, Playwright, marked.js, and highlight.js.
元数据
常见问题
MD to Mobile Image 是什么?
Convert Markdown files into high-contrast, mobile-friendly PNG images optimized for Telegram and social media sharing. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 155 次。
如何安装 MD to Mobile Image?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install md-to-image」即可一键安装,无需额外配置。
MD to Mobile Image 是免费的吗?
是的,MD to Mobile Image 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
MD to Mobile Image 支持哪些平台?
MD to Mobile Image 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MD to Mobile Image?
由 nowhere1975(@nowhere1975)开发并维护,当前版本 v2.0.0。
推荐 Skills