nuomi-xhs-card Security Report — Trusted | ClawSafe

5 /100

nuomi-xhs-card

Local Markdown/MDX to Xiaohongshu-style card image generator with 24 themes, light/dark modes, and intelligent pagination

This is a legitimate local Markdown-to-image card renderer with no malicious behavior. All functionality is properly documented and implemented using standard Node.js tooling (Playwright, React, unified ecosystem).

Skill Namenuomi-xhs-card

Duration45.3s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified.

Findings 2 items

Severity	Finding	Location
Low	Remote image fetching in weChat mode The weChat mode option fetches remote images and converts them to data URLs. This network access is not documented in SKILL.md. `const response = await fetch(url, {...})` → Add documentation for --wechat-mode option including its network access behavior	`scripts/src/core/structure.ts:22`
Info	Standard Playwright browser installation setup.sh installs Playwright chromium browser via npx. This is standard practice and not a security concern. `npx --prefix "${SCRIPT_DIR}" playwright install chromium` → No action needed - this is expected behavior for browser automation tools	`scripts/setup.sh:14`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	Reads markdown, writes PNG outputs and report JSON
Network	`NONE`	`READ`	✓ Aligned	scripts/src/core/structure.ts:22 - fetch() for remote images in weChat mode
Shell	`WRITE`	`WRITE`	✓ Aligned	scripts/setup.sh uses npm ci/install and npx playwright install

2 findings

🔗

Medium External URL 外部 URL

http://www.w3.org/2000/svg

assets/templates/alibaba.html:180

🔗

Medium External URL 外部 URL

https://opencollective.com/unified

scripts/package-lock.json:511

File Tree

44 files · 472.2 KB · 18462 lines

HTML 24f · 13133L JSON 3f · 3230L TypeScript 10f · 1611L Markdown 5f · 459L Shell 1f · 17L JavaScript 1f · 12L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 templates

│ │ ├─ 📄 alibaba.html HTML 533L · 14.5 KB

│ │ ├─ 📄 apple-notes.html HTML 251L · 6.0 KB

│ │ ├─ 📄 art-deco.html HTML 708L · 17.9 KB

│ │ ├─ 📄 business.html HTML 495L · 10.8 KB

│ │ ├─ 📄 bytedance.html HTML 576L · 15.8 KB

│ │ ├─ 📄 coil-notebook.html HTML 303L · 6.7 KB

│ │ ├─ 📄 cyberpunk.html HTML 1120L · 24.4 KB

│ │ ├─ 📄 darktech.html HTML 672L · 14.2 KB

│ │ ├─ 📄 dreamy.html HTML 471L · 9.8 KB

│ │ ├─ 📄 fairytale.html HTML 618L · 13.5 KB

│ │ ├─ 📄 glassmorphism.html HTML 655L · 15.0 KB

│ │ ├─ 📄 instagram.html HTML 508L · 12.1 KB

│ │ ├─ 📄 japanese-magazine.html HTML 596L · 12.8 KB

│ │ ├─ 📄 meadow-dawn.html HTML 393L · 8.4 KB

│ │ ├─ 📄 minimal.html HTML 408L · 8.2 KB

│ │ ├─ 📄 minimalist.html HTML 481L · 9.9 KB

│ │ ├─ 📄 nature.html HTML 440L · 8.6 KB

│ │ ├─ 📄 notebook.html HTML 582L · 12.4 KB

│ │ ├─ 📄 pop-art.html HTML 583L · 15.2 KB

│ │ ├─ 📄 traditional-chinese.html HTML 590L · 13.0 KB

│ │ ├─ 📄 typewriter.html HTML 605L · 14.9 KB

│ │ ├─ 📄 warm.html HTML 426L · 9.0 KB

│ │ ├─ 📄 watercolor.html HTML 587L · 12.4 KB

│ │ └─ 📄 xiaohongshu.html HTML 532L · 10.9 KB

│ └─ 📝 preview-template.md Markdown 8L · 226 B

├─ ▾ 📁 references

│ ├─ 📝 cli-reference.md Markdown 143L · 3.2 KB

│ └─ 📝 templates.md Markdown 128L · 4.2 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 src

│ │ ├─ ▾ 📁 browser

│ │ │ └─ 📜 page.tsx TypeScript 26L · 796 B

│ │ ├─ ▾ 📁 core

│ │ │ ├─ 📜 markdown.ts TypeScript 80L · 2.2 KB

│ │ │ ├─ 📜 paginate.ts TypeScript 539L · 14.7 KB

│ │ │ ├─ 📜 preview.ts TypeScript 69L · 2.1 KB

│ │ │ ├─ 📜 render.ts TypeScript 91L · 2.7 KB

│ │ │ ├─ 📜 structure.ts TypeScript 102L · 3.0 KB

│ │ │ ├─ 📜 template.ts TypeScript 175L · 4.4 KB

│ │ │ ├─ 📜 themes.ts TypeScript 181L · 4.8 KB

│ │ │ └─ 📜 types.ts TypeScript 97L · 1.9 KB

│ │ └─ 📜 cli.ts TypeScript 251L · 8.0 KB

│ ├─ 📋 package-lock.json JSON 3178L · 114.0 KB

│ ├─ 📋 package.json JSON 37L · 1.0 KB

│ ├─ 🔧 setup.sh Shell 17L · 397 B

│ ├─ 📋 tsconfig.json JSON 15L · 354 B

│ └─ 📜 xhs-card.cjs JavaScript 12L · 451 B

├─ 📝 SKILL.md Markdown 100L · 3.5 KB

└─ 📝 test.md Markdown 80L · 4.1 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`playwright`	`^1.55.0`	npm	No	Standard browser automation tool
`@mdx-js/mdx`	`^3.1.1`	npm	No	Official MDX processor
`react`	`^19.1.1`	npm	No	Standard UI library
`cheerio`	`^1.1.2`	npm	No	Standard HTML parser
`unified`	`^11.0.5`	npm	No	Standard Markdown processor

Security Positives

✓ No credential harvesting or environment variable access for secrets

✓ No exfiltration of user data or system information

✓ No reverse shell, C2, or command-and-control functionality

✓ No base64-encoded shell commands or obfuscated payloads

✓ No hidden JavaScript in HTML templates (pure CSS styling)

✓ Network fetch() is only for converting remote images to data URLs in weChat mode

✓ Uses well-established, audited packages (React, Playwright, unified, cheerio)

✓ All shell commands (npm install, playwright install) are standard tooling

✓ Local file operations are scoped to user-specified input/output paths

Scan Report

Findings 2 items

File Tree

Dependencies 5 items

Security Positives