← 返回 Skills 市场

Send Md As

Name: Send Md As
Author: enc-hanted

作者 Enc-hanted · GitHub ↗ · v0.3.2 · MIT-0

cross-platform ⚠ suspicious

172

总下载

当前安装

版本数

在 OpenClaw 中安装

/install send-md-as

功能描述

在即时通讯 app 中以优雅图片形式展示 Markdown。支持标题、代码高亮（行号、Monokai）、LaTeX 公式、Mermaid 图表、表格、列表。4 种色彩主题，智能分页。零 CDN 依赖，完全离线渲染。| Render Markdown as a polished image for messagin...

安全使用建议

What to consider before installing: - The skill itself appears to do what it says (render Markdown to images/PDF) and its runtime scripts operate on local files only. There is no evidence of data exfiltration in the supplied code. - The claim "Zero CDN dependency / fully offline rendering" is misleading in practice: setup.sh will download Playwright and Chromium and may install npm/pip packages from public registries. Expect network downloads at install time. - setup.sh can call system package managers with sudo and runs npm -g and pip installs (global). These will change your system environment. Prefer running setup in a controlled environment (container, VM, or dedicated dev machine) or adapt the script to use a virtualenv/--user pip installs and avoid global npm installs. - Before running setup.sh: inspect it (you already have it), run with --check-only to see missing deps without making changes, and consider hardening (lock package versions, avoid npm -g, or install dependencies manually). Be aware Playwright will download a Chromium binary (~100s MB). - If you require the "zero CDN/offline" guarantee, ask the author for an offline bundle (pre-bundled Chromium and npm artifacts) or a reproducible install method; otherwise assume runtime/install uses network resources. - Minor note: metadata/version strings are slightly inconsistent (SKILL.md header vs _meta.json and render.sh version), which looks like a bookkeeping oversight but not malicious. - If you do not trust the publisher or cannot run in a sandbox, do not run setup.sh with sudo on a production system.

功能分析

Type: OpenClaw Skill Name: send-md-as Version: 0.3.2 The skill bundle exhibits risky behaviors including the use of 'sudo' for system-wide installations in 'setup.sh' and the execution of Playwright with the '--no-sandbox' flag in 'render.sh'. It renders HTML generated from Markdown without sanitization, which is a vulnerability that could allow XSS or unauthorized local file access within the headless browser environment. While these capabilities are plausibly needed for the stated purpose of rendering complex Markdown (including LaTeX and Mermaid) to images, the combination of high-privilege setup steps and the lack of input validation represents a significant attack surface.

能力评估

ℹ Purpose & Capability

The name/description (render Markdown to images/PDF) align with the provided scripts and implementation. However, the SKILL.md claims "Zero CDN dependency, fully offline rendering," while setup.sh installs Playwright and runs 'python3 -m playwright install chromium' and optionally installs npm packages — actions that download runtime artifacts from remote registries/CDNs. This contradicts the offline/CDN-free claim.

✓ Instruction Scope

Runtime instructions are focused on rendering markdown and sending the resulting media. The SKILL.md explicitly requires manual invocation only. The scripts operate on the input markdown and local temporary files and do not attempt to read unrelated system files or environment variables.

⚠ Install Mechanism

There is no packaged install spec; the included setup.sh performs network installs via pip and npm, runs 'python3 -m playwright install chromium' (which downloads Chromium), and may call system package managers with sudo. It uses npm -g and system package installs (possible global changes). These are normal for this functionality but are moderate-risk actions because they download dependencies from public registries and require elevated privileges and global installs.

✓ Credentials

The skill requests no environment variables, no credentials, and no config paths. The runtime and scripts do not access secrets or unrelated environment variables.

ℹ Persistence & Privilege

The skill is not marked always:true and does not attempt to persist within the agent. However, setup.sh performs system-level installs (sudo package manager calls, npm -g) that modify the host environment and require elevated privileges — this is expected for installing runtime dependencies but increases the blast radius and should be acknowledged.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install send-md-as
安装完成后，直接呼叫该 Skill 的名称或使用 /send-md-as 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.3.2

Added bilingual hard rules: no auto-split without user request; prefer PDF for long content

v0.3.1

Fix: code block even-row text invisible (tr:nth-child(even) bg override in code-table)

v0.3.0

**Summary:** v0.3.0 introduces multi-format output, more robust offline rendering, and advanced features for Markdown-to-image conversion in messaging apps. - Now supports exporting as JPEG, PNG, WebP, or PDF. - Adds 4 color themes: light, dark, sepia, and nord. - Introduces smart page splitting (A4, A5, or none). - Fully offline rendering with zero CDN dependency. - Enhances syntax highlighting, LaTeX rendering, Mermaid diagrams, and task lists. - Expanded and improved CLI options for rendering and sending.

元数据

Slug send-md-as

版本 0.3.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题

Send Md As 是什么？

在即时通讯 app 中以优雅图片形式展示 Markdown。支持标题、代码高亮（行号、Monokai）、LaTeX 公式、Mermaid 图表、表格、列表。4 种色彩主题，智能分页。零 CDN 依赖，完全离线渲染。| Render Markdown as a polished image for messagin... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 172 次。

如何安装 Send Md As？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install send-md-as」即可一键安装，无需额外配置。

Send Md As 是免费的吗？

是的，Send Md As 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Send Md As 支持哪些平台？

Send Md As 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Send Md As？

由 Enc-hanted（@enc-hanted）开发并维护，当前版本 v0.3.2。