← Back to Skills Marketplace
613
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install md-table-image
Description
Render markdown tables as PNG images. Use whenever you need to send a table in chat — render it as an image instead of raw markdown text.
Usage Guidance
This skill appears to perform the advertised function, but review and caution are recommended before installing. Key things to consider: 1) The renderer injects unsanitized HTML into a headless browser—do not feed untrusted markdown (or markdown that may include raw HTML) because scripts or remote-resource tags could run and trigger network requests. 2) The script hard-codes a macOS Chrome path and relies on puppeteer-core (no Chromium bundled), so you must ensure a compatible Chrome/Chromium is installed in a safe, sandboxed environment; on non-mac systems the path will fail. 3) The script launches Chrome with --no-sandbox which reduces process isolation; run it in an isolated container or VM if you must render untrusted content. If you plan to use this skill, either (a) sanitize or escape input before rendering, (b) remove/disable execution of raw HTML, or (c) run the tool in an isolated environment and update the executablePath to a managed Chromium installation. If you want me to, I can suggest code changes to properly escape HTML or to fetch a managed Chromium binary instead of using a hard-coded path.
Capability Analysis
Type: OpenClaw Skill
Name: md-table-image
Version: 1.0.0
The skill is classified as suspicious due to a critical vulnerability in `scripts/render.mjs`. It directly embeds user-provided markdown content into HTML without proper sanitization, allowing for Cross-Site Scripting (XSS). More critically, Puppeteer is launched with `--no-sandbox` and `--disable-setuid-sandbox` flags, which disables the browser's security sandbox. This combination creates a severe Remote Code Execution (RCE) risk, as a malicious user could inject crafted HTML/JavaScript that, if exploited, could execute arbitrary code on the host system with the privileges of the OpenClaw agent, bypassing critical security protections.
Capability Assessment
Purpose & Capability
The code matches the stated purpose: a Node script renders markdown to HTML and screenshots it with puppeteer-core. However the project depends on puppeteer-core (which requires an existing Chrome/Chromium) but the SKILL metadata only declares 'node' as a required binary. The script also hard-codes an executablePath to a macOS Chrome binary ('/Applications/Google Chrome.app/...'), which is platform-specific and not reflected in the skill metadata (OS restriction: none).
Instruction Scope
The script builds an HTML document by inserting processed markdown directly into page content without escaping or sanitizing raw HTML. mdToHtml only converts some markdown constructs and will allow raw HTML lines through (formatCell does not escape '<' or '>'). That means arbitrary <script> or <img src=...> tags in input could run in the headless browser or trigger network requests. The code uses page.setContent(..., { waitUntil: 'networkidle0' }), which will wait for network activity—so external requests can occur. This broadens scope beyond simple local rendering and could be used to cause SSRF-like requests or exfiltrate data from the environment accessible to the browser process if untrusted markdown is rendered.
Install Mechanism
There is no install spec; the skill is instruction-only even though package.json and package-lock.json are included. The dependency is puppeteer-core (no bundled Chromium). That means an operator must provide a compatible Chrome/Chromium binary and run npm install to satisfy deps. Lack of an install step and the macOS hard-coded path may cause surprises or misconfiguration on non-mac systems.
Credentials
The skill does not request environment variables or credentials. The absence of declared secrets is appropriate for the stated purpose. Note, however, that the headless browser will have process-level access (filesystem, network) subject to the runtime environment—this is not expressed as required config but is relevant to risk.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges or modify other skills. It does not persist configuration or request long-lived access to agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install md-table-image - After installation, invoke the skill by name or use
/md-table-image - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: render markdown tables as styled PNG images via puppeteer-core + Chrome
Metadata
Frequently Asked Questions
What is MD Table Image?
Render markdown tables as PNG images. Use whenever you need to send a table in chat — render it as an image instead of raw markdown text. It is an AI Agent Skill for Claude Code / OpenClaw, with 613 downloads so far.
How do I install MD Table Image?
Run "/install md-table-image" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MD Table Image free?
Yes, MD Table Image is completely free (open-source). You can download, install and use it at no cost.
Which platforms does MD Table Image support?
MD Table Image is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created MD Table Image?
It is built and maintained by kirorab (@kirorab); the current version is v1.0.0.
More Skills