diff --git a/astrbot/dashboard/routes/plugin.py b/astrbot/dashboard/routes/plugin.py
index ff785a0379..3654100670 100644
--- a/astrbot/dashboard/routes/plugin.py
+++ b/astrbot/dashboard/routes/plugin.py
@@ -46,6 +46,9 @@
 PLUGIN_UPDATE_CONCURRENCY = (
     3  # limit concurrent updates to avoid overwhelming plugin sources
 )
+PLUGIN_ASSET_MIME_PREFIX = "image/"
+GITHUB_DEFAULT_BRANCH_REF = "HEAD"
+GITHUB_REPO_PART_PATTERN = re.compile(r"^[A-Za-z0-9_.-]+$")
 _PLUGIN_PAGE_BRIDGE_FILE = (
     Path(__file__).resolve().parent.parent / "plugin_page_bridge.js"
 )
@@ -74,6 +77,9 @@
 _PLUGIN_PAGE_ROOT_DIR_NAME = "pages"
 _PLUGIN_PAGE_ENTRY_FILE_NAME = "index.html"
 
+mimetypes.add_type("image/svg+xml", ".svg")
+mimetypes.add_type("image/webp", ".webp")
+
 
 def _normalize_plugin_page_asset_path(asset_path: str) -> str:
     return PluginRoute._normalize_plugin_page_path(asset_path, allow_empty=True)
@@ -128,6 +134,7 @@ def __init__(
             "/plugin/reload-failed": ("POST", self.reload_failed_plugins),
             "/plugin/reload": ("POST", self.reload_plugins),
             "/plugin/readme": ("GET", self.get_plugin_readme),
+            "/plugin/asset": ("GET", self.get_plugin_asset),
             "/plugin/changelog": ("GET", self.get_plugin_changelog),
             "/plugin/source/get": ("GET", self.get_custom_source),
             "/plugin/source/save": ("POST", self.save_custom_source),
@@ -210,6 +217,45 @@ def _get_plugin_metadata_by_name(self, plugin_name: str) -> StarMetadata | None:
                 return plugin
         return None
 
+    def _parse_github_repo_url(self, repo_url: str | None) -> tuple[str, str] | None:
+        if not isinstance(repo_url, str):
+            return None
+
+        normalized_repo_url = repo_url.strip()
+        if not normalized_repo_url:
+            return None
+
+        parsed = urlsplit(normalized_repo_url)
+        if parsed.scheme not in ("http", "https"):
+            return None
+        if parsed.netloc.lower() not in {"github.com", "www.github.com"}:
+            return None
+
+        parts = [part for part in parsed.path.strip("/").split("/") if part]
+        if len(parts) < 2:
+            return None
+
+        owner = parts[0]
+        repo = parts[1].removesuffix(".git")
+        if not owner or not repo:
+            return None
+        if owner in {".", ".."} or repo in {".", ".."}:
+            return None
+        if not GITHUB_REPO_PART_PATTERN.fullmatch(owner):
+            return None
+        if not GITHUB_REPO_PART_PATTERN.fullmatch(repo):
+            return None
+
+        return owner, repo
+
+    def _build_github_raw_base(self, repo_url: str | None) -> str | None:
+        repo_info = self._parse_github_repo_url(repo_url)
+        if not repo_info:
+            return None
+
+        owner, repo = repo_info
+        return f"https://github.com/{owner}/{repo}/raw/{GITHUB_DEFAULT_BRANCH_REF}"
+
     @staticmethod
     def _get_by_path(source: dict | None, key: str):
         if not isinstance(source, dict) or not key:
@@ -390,6 +436,45 @@ def _get_plugin_root_dir(self, plugin: StarMetadata) -> Path:
         plugin_root.relative_to(base_dir)
         return plugin_root
 
+    async def _resolve_plugin_asset_file(
+        self,
+        plugin: StarMetadata,
+        asset_path: str,
+    ) -> Path:
+        plugin_root = self._get_plugin_root_dir(plugin)
+        normalized_path = self._normalize_plugin_page_path(asset_path)
+        target_path = (plugin_root / normalized_path).resolve(strict=False)
+        target_path.relative_to(plugin_root)
+        if not await aio_ospath.isfile(str(target_path)):
+            raise FileNotFoundError("Plugin asset not found")
+        return target_path
+
+    async def get_plugin_asset(self):
+        plugin_name = request.args.get("name")
+        asset_path = request.args.get("path")
+
+        if not plugin_name or not asset_path:
+            return await self._plugin_page_error_response(404, "Plugin asset not found")
+
+        plugin = self._get_plugin_metadata_by_name(plugin_name)
+        if not plugin:
+            return await self._plugin_page_error_response(404, "Plugin not found")
+
+        try:
+            file_path = await self._resolve_plugin_asset_file(plugin, asset_path)
+        except (FileNotFoundError, ValueError, OSError):
+            logger.info(f"插件资源访问失败: {plugin_name}/{asset_path}")
+            return await self._plugin_page_error_response(404, "Plugin asset not found")
+
+        mimetype, _ = mimetypes.guess_type(file_path.name)
+        if not mimetype or not mimetype.startswith(PLUGIN_ASSET_MIME_PREFIX):
+            return await self._plugin_page_error_response(404, "Plugin asset not found")
+
+        response = await self._serve_plugin_page_static_asset(file_path)
+        if mimetype == "image/svg+xml":
+            response.headers["Content-Security-Policy"] = "default-src 'none'"
+        return response
+
     async def _resolve_plugin_pages_root(
         self,
         plugin: StarMetadata,
@@ -2001,12 +2086,7 @@ async def get_plugin_readme(self):
             logger.warning("插件名称为空")
             return Response().error("插件名称不能为空").__dict__
 
-        plugin_obj = None
-        for plugin in self.plugin_manager.context.get_all_stars():
-            if plugin.name == plugin_name:
-                plugin_obj = plugin
-                break
-
+        plugin_obj = self._get_plugin_metadata_by_name(plugin_name)
         if not plugin_obj:
             logger.warning(f"插件 {plugin_name} 不存在")
             return Response().error(f"插件 {plugin_name} 不存在").__dict__
@@ -2015,34 +2095,34 @@ async def get_plugin_readme(self):
             logger.warning(f"插件 {plugin_name} 目录不存在")
             return Response().error(f"插件 {plugin_name} 目录不存在").__dict__
 
-        if plugin_obj.reserved:
-            plugin_dir = os.path.join(
-                self.plugin_manager.reserved_plugin_path,
-                plugin_obj.root_dir_name,
-            )
-        else:
-            plugin_dir = os.path.join(
-                self.plugin_manager.plugin_store_path,
-                plugin_obj.root_dir_name,
-            )
+        try:
+            plugin_dir = self._get_plugin_root_dir(plugin_obj)
+        except (FileNotFoundError, ValueError):
+            logger.warning(f"插件 {plugin_name} 目录不存在")
+            return Response().error(f"插件 {plugin_name} 目录不存在").__dict__
 
-        if not os.path.isdir(plugin_dir):
+        if not await aio_ospath.isdir(str(plugin_dir)):
             logger.warning(f"无法找到插件目录: {plugin_dir}")
             return Response().error(f"无法找到插件 {plugin_name} 的目录").__dict__
 
-        readme_path = os.path.join(plugin_dir, "README.md")
+        readme_path = plugin_dir / "README.md"
 
-        if not os.path.isfile(readme_path):
+        if not await aio_ospath.isfile(str(readme_path)):
             logger.warning(f"插件 {plugin_name} 没有README文件")
             return Response().error(f"插件 {plugin_name} 没有README文件").__dict__
 
         try:
-            with open(readme_path, encoding="utf-8") as f:
-                readme_content = f.read()
+            readme_content = await self._read_plugin_page_text(readme_path)
 
             return (
                 Response()
-                .ok({"content": readme_content}, "成功获取README内容")
+                .ok(
+                    {
+                        "content": readme_content,
+                        "github_raw_base": self._build_github_raw_base(plugin_obj.repo),
+                    },
+                    "成功获取README内容",
+                )
                 .__dict__
             )
         except Exception as e:
diff --git a/dashboard/src/components/shared/PluginReadmeImageSourceSetting.vue b/dashboard/src/components/shared/PluginReadmeImageSourceSetting.vue
new file mode 100644
index 0000000000..08945f4076
--- /dev/null
+++ b/dashboard/src/components/shared/PluginReadmeImageSourceSetting.vue
@@ -0,0 +1,70 @@
+<template>
+    <div class="readme-image-source">
+        <v-switch
+            v-model="readmeImageUseGitHub"
+            class="readme-image-source-switch"
+            color="primary"
+            density="compact"
+            hide-details
+            :label="tm('network.proxySelector.readmeImages.useGitHub')">
+        </v-switch>
+        <div class="text-caption text-medium-emphasis mt-1">
+            {{ tm('network.proxySelector.readmeImages.hint') }}
+        </div>
+    </div>
+</template>
+
+<script setup>
+import { computed, ref, watch } from 'vue';
+import { useModuleI18n } from '@/i18n/composables';
+import {
+    PLUGIN_README_IMAGE_SOURCE,
+    getPluginReadmeImageSource,
+    setPluginReadmeImageSource
+} from '@/utils/githubProxy';
+
+const { tm } = useModuleI18n('features/settings');
+
+const readmeImageSource = ref(getPluginReadmeImageSource());
+
+const readmeImageUseGitHub = computed({
+    get() {
+        return readmeImageSource.value === PLUGIN_README_IMAGE_SOURCE.GITHUB;
+    },
+    set(value) {
+        readmeImageSource.value = value
+            ? PLUGIN_README_IMAGE_SOURCE.GITHUB
+            : PLUGIN_README_IMAGE_SOURCE.LOCAL;
+    }
+});
+
+watch(readmeImageSource, (newVal) => {
+    setPluginReadmeImageSource(newVal);
+});
+</script>
+
+<style scoped>
+.readme-image-source {
+    max-width: 100%;
+    overflow: visible;
+    padding-left: 10px;
+}
+
+.readme-image-source-switch {
+    overflow: visible;
+}
+
+.readme-image-source-switch :deep(.v-selection-control) {
+    min-height: 32px;
+    overflow: visible;
+}
+
+.readme-image-source-switch :deep(.v-selection-control__wrapper) {
+    overflow: visible;
+}
+
+.readme-image-source-switch :deep(.v-label) {
+    line-height: 1.35;
+    white-space: normal;
+}
+</style>
diff --git a/dashboard/src/components/shared/ReadmeDialog.vue b/dashboard/src/components/shared/ReadmeDialog.vue
index eb159f62eb..336f4fc35f 100644
--- a/dashboard/src/components/shared/ReadmeDialog.vue
+++ b/dashboard/src/components/shared/ReadmeDialog.vue
@@ -1,11 +1,16 @@
 <script setup>
-import { ref, watch, computed, onUnmounted } from "vue";
+import { ref, watch, computed, onMounted, onUnmounted } from "vue";
 import { useTheme } from "vuetify";
 import MarkdownIt from "markdown-it";
 import axios from "axios";
 import DOMPurify from "dompurify";
 import { useI18n } from "@/i18n/composables";
 import { copyToClipboard } from "@/utils/clipboard";
+import {
+  PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT,
+  buildGitHubProxyUrl,
+  isPluginReadmeGitHubImageSource,
+} from "@/utils/githubProxy";
 import {
   escapeHtml,
   ensureShikiLanguages,
@@ -58,6 +63,8 @@ const lastRequestId = ref(0);
 const lastRenderId = ref(0);
 const scrollContainer = ref(null);
 const renderedHtml = ref("");
+const githubRawBase = ref(null);
+const readmeImageSourceVersion = ref(0);
 const isDark = computed(() => theme.global.current.value.dark);
 
 const MARKDOWN_SANITIZE_OPTIONS = {
@@ -172,8 +179,88 @@ function slugifyHeading(text, slugCounts) {
 
 onUnmounted(() => {
   if (copyFeedbackTimer.value) clearTimeout(copyFeedbackTimer.value);
+  if (typeof window !== "undefined") {
+    window.removeEventListener(
+      PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT,
+      handleReadmeImageSourceChanged,
+    );
+  }
+});
+
+function handleReadmeImageSourceChanged() {
+  readmeImageSourceVersion.value += 1;
+}
+
+onMounted(() => {
+  if (typeof window !== "undefined") {
+    window.addEventListener(
+      PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT,
+      handleReadmeImageSourceChanged,
+    );
+  }
 });
 
+function isRemoteImageSrc(src) {
+  const value = (src || "").trim().toLowerCase();
+  return (
+    value.startsWith("http://") ||
+    value.startsWith("https://") ||
+    value.startsWith("//") ||
+    value.startsWith("data:") ||
+    value.startsWith("blob:")
+  );
+}
+
+function normalizeGitHubAssetPath(decodedPath) {
+  const segments = [];
+  for (const segment of decodedPath.split("/")) {
+    if (!segment || segment === ".") continue;
+    if (segment === "..") return null;
+    segments.push(segment);
+  }
+  return segments.length ? segments.join("/") : null;
+}
+
+function getPluginAssetSrc(src) {
+  if (!props.pluginName) return src;
+
+  const value = (src || "").trim();
+  if (!value || value.startsWith("#") || isRemoteImageSrc(value)) return src;
+  if (value.startsWith("/api/")) return src;
+  if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.test(value)) return src;
+
+  const normalizedValue = value.startsWith("/") ? value.slice(1) : value;
+  const pathEnd = normalizedValue.search(/[?#]/);
+  const rawPath =
+    pathEnd === -1 ? normalizedValue : normalizedValue.slice(0, pathEnd);
+  if (!rawPath) return src;
+
+  let decodedPath = rawPath;
+  try {
+    decodedPath = decodeURI(rawPath);
+  } catch (err) {
+    decodedPath = rawPath;
+  }
+
+  const suffix = pathEnd === -1 ? "" : normalizedValue.slice(pathEnd);
+  if (githubRawBase.value && isPluginReadmeGitHubImageSource()) {
+    const githubPath = normalizeGitHubAssetPath(decodedPath);
+    if (!githubPath) return src;
+
+    const encodedPath = githubPath
+      .split("/")
+      .map((part) => encodeURIComponent(part))
+      .join("/");
+    return buildGitHubProxyUrl(`${githubRawBase.value}/${encodedPath}${suffix}`);
+  }
+
+  const params = new URLSearchParams({
+    name: props.pluginName,
+    path: decodedPath,
+  });
+  return `/api/plugin/asset?${params.toString()}`;
+}
+
 function sanitizeHighlightedBlock(html) {
   return DOMPurify.sanitize(html, CODE_BLOCK_SANITIZE_OPTIONS);
 }
@@ -251,6 +338,11 @@ async function updateRenderedHtml() {
       link.setAttribute("rel", "noopener noreferrer");
     }
   });
+  tempDiv.querySelectorAll("img").forEach((img) => {
+    const src = img.getAttribute("src");
+    const assetSrc = getPluginAssetSrc(src);
+    if (assetSrc && assetSrc !== src) img.setAttribute("src", assetSrc);
+  });
 
   tempDiv.querySelectorAll("[data-code-block-index]").forEach((placeholder) => {
     const index = Number(placeholder.getAttribute("data-code-block-index"));
@@ -310,6 +402,7 @@ async function fetchContent() {
   const requestId = ++lastRequestId.value;
   loading.value = true;
   content.value = null;
+  githubRawBase.value = null;
   error.value = null;
   isEmpty.value = false;
 
@@ -326,6 +419,7 @@ async function fetchContent() {
     if (res.data.status === "ok") {
       if (res.data.data.content) content.value = res.data.data.content;
       else isEmpty.value = true;
+      githubRawBase.value = res.data.data.github_raw_base || null;
     } else {
       error.value = res.data.message;
     }
@@ -346,7 +440,7 @@ watch(
   { immediate: true },
 );
 
-watch([content, locale, isDark], () => {
+watch([content, locale, isDark, readmeImageSourceVersion], () => {
   updateRenderedHtml();
 }, { immediate: true });
 
diff --git a/dashboard/src/i18n/locales/en-US/features/settings.json b/dashboard/src/i18n/locales/en-US/features/settings.json
index c561e9d8cd..5495d523e9 100644
--- a/dashboard/src/i18n/locales/en-US/features/settings.json
+++ b/dashboard/src/i18n/locales/en-US/features/settings.json
@@ -13,7 +13,11 @@
       "testConnection": "Test Connection",
       "available": "Available",
       "unavailable": "Unavailable",
-      "custom": "Custom"
+      "custom": "Custom",
+      "readmeImages": {
+        "useGitHub": "Load plugin README images from GitHub",
+        "hint": "Images load from the local plugin directory by default. When enabled, AstrBot uses the plugin repository's default branch and applies the GitHub proxy if it is enabled."
+      }
     }
   },
   "theme": {
diff --git a/dashboard/src/i18n/locales/ru-RU/features/settings.json b/dashboard/src/i18n/locales/ru-RU/features/settings.json
index eb78ec6871..4a8f6750f4 100644
--- a/dashboard/src/i18n/locales/ru-RU/features/settings.json
+++ b/dashboard/src/i18n/locales/ru-RU/features/settings.json
@@ -13,7 +13,11 @@
             "testConnection": "Проверить соединение",
             "available": "Доступен",
             "unavailable": "Недоступен",
-            "custom": "Свой вариант"
+            "custom": "Свой вариант",
+            "readmeImages": {
+                "useGitHub": "Загружать изображения README плагинов с GitHub",
+                "hint": "По умолчанию изображения загружаются из локального каталога плагина. Если включено, AstrBot использует ветку по умолчанию репозитория плагина и применяет ускоритель GitHub, если он включен."
+            }
         }
     },
     "theme": {
diff --git a/dashboard/src/i18n/locales/zh-CN/features/settings.json b/dashboard/src/i18n/locales/zh-CN/features/settings.json
index de5748f2c6..19c3cce0cf 100644
--- a/dashboard/src/i18n/locales/zh-CN/features/settings.json
+++ b/dashboard/src/i18n/locales/zh-CN/features/settings.json
@@ -13,7 +13,11 @@
       "testConnection": "测试代理连通性",
       "available": "可用",
       "unavailable": "不可用",
-      "custom": "自定义"
+      "custom": "自定义",
+      "readmeImages": {
+        "useGitHub": "插件文档图片从 GitHub 加载",
+        "hint": "默认从本地插件目录加载，开启后会使用插件仓库的默认分支地址；若启用 GitHub 加速，将自动使用加速地址。"
+      }
     }
   },
   "theme": {
diff --git a/dashboard/src/utils/githubProxy.js b/dashboard/src/utils/githubProxy.js
new file mode 100644
index 0000000000..3535bdf681
--- /dev/null
+++ b/dashboard/src/utils/githubProxy.js
@@ -0,0 +1,51 @@
+export const GITHUB_PROXY_RADIO_VALUE_KEY = "githubProxyRadioValue";
+export const SELECTED_GITHUB_PROXY_KEY = "selectedGitHubProxy";
+export const PLUGIN_README_IMAGE_SOURCE_KEY = "pluginReadmeImageSource";
+export const PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT =
+  "plugin-readme-image-source-changed";
+
+export const PLUGIN_README_IMAGE_SOURCE = {
+  LOCAL: "local",
+  GITHUB: "github",
+};
+
+export function getSelectedGitHubProxy() {
+  if (typeof window === "undefined" || !window.localStorage) return "";
+  return localStorage.getItem(GITHUB_PROXY_RADIO_VALUE_KEY) === "1"
+    ? localStorage.getItem(SELECTED_GITHUB_PROXY_KEY) || ""
+    : "";
+}
+
+export function buildGitHubProxyUrl(url, proxy = getSelectedGitHubProxy()) {
+  const normalizedProxy = (proxy || "").trim().replace(/\/+$/, "");
+  if (!normalizedProxy) return url;
+  return `${normalizedProxy}/${url}`;
+}
+
+export function getPluginReadmeImageSource() {
+  if (typeof window === "undefined" || !window.localStorage) {
+    return PLUGIN_README_IMAGE_SOURCE.LOCAL;
+  }
+  const source = localStorage.getItem(PLUGIN_README_IMAGE_SOURCE_KEY);
+  return source === PLUGIN_README_IMAGE_SOURCE.GITHUB
+    ? PLUGIN_README_IMAGE_SOURCE.GITHUB
+    : PLUGIN_README_IMAGE_SOURCE.LOCAL;
+}
+
+export function isPluginReadmeGitHubImageSource() {
+  return getPluginReadmeImageSource() === PLUGIN_README_IMAGE_SOURCE.GITHUB;
+}
+
+export function setPluginReadmeImageSource(source) {
+  if (typeof window === "undefined" || !window.localStorage) return;
+  const normalizedSource =
+    source === PLUGIN_README_IMAGE_SOURCE.GITHUB
+      ? PLUGIN_README_IMAGE_SOURCE.GITHUB
+      : PLUGIN_README_IMAGE_SOURCE.LOCAL;
+  localStorage.setItem(PLUGIN_README_IMAGE_SOURCE_KEY, normalizedSource);
+  window.dispatchEvent(
+    new CustomEvent(PLUGIN_README_IMAGE_SOURCE_CHANGED_EVENT, {
+      detail: { source: normalizedSource },
+    }),
+  );
+}
diff --git a/dashboard/src/views/Settings.vue b/dashboard/src/views/Settings.vue
index a870841c70..19079cdd68 100644
--- a/dashboard/src/views/Settings.vue
+++ b/dashboard/src/views/Settings.vue
@@ -8,6 +8,9 @@
             <v-list-item>
                 <ProxySelector></ProxySelector>
             </v-list-item>
+            <v-list-item>
+                <PluginReadmeImageSourceSetting></PluginReadmeImageSourceSetting>
+            </v-list-item>
 
             <v-list-subheader>{{ tm('sidebar.title') }}</v-list-subheader>
 
@@ -231,6 +234,7 @@ import { computed, onMounted, ref, watch } from 'vue';
 import axios from 'axios';
 import WaitingForRestart from '@/components/shared/WaitingForRestart.vue';
 import ProxySelector from '@/components/shared/ProxySelector.vue';
+import PluginReadmeImageSourceSetting from '@/components/shared/PluginReadmeImageSourceSetting.vue';
 import MigrationDialog from '@/components/shared/MigrationDialog.vue';
 import SidebarCustomizer from '@/components/shared/SidebarCustomizer.vue';
 import BackupDialog from '@/components/shared/BackupDialog.vue';
diff --git a/dashboard/src/views/extension/useExtensionPage.js b/dashboard/src/views/extension/useExtensionPage.js
index 7476d252a4..79a36e1b50 100644
--- a/dashboard/src/views/extension/useExtensionPage.js
+++ b/dashboard/src/views/extension/useExtensionPage.js
@@ -2,14 +2,15 @@ import { pluginSidebarState } from "@/composables/usePluginSidebarItems";
 import { useI18n, useModuleI18n } from "@/i18n/composables";
 import { useCommonStore } from "@/stores/common";
 import { resolveErrorMessage } from "@/utils/errorUtils";
+import { getSelectedGitHubProxy } from "@/utils/githubProxy";
 import { getValidHashTab, replaceTabRoute } from "@/utils/hashRouteTabs.mjs";
 import { getPlatformDisplayName } from "@/utils/platformUtils";
 import {
-    buildSearchQuery,
-    matchesPluginSearch,
-    normalizeStr,
-    toInitials,
-    toPinyinText,
+  buildSearchQuery,
+  matchesPluginSearch,
+  normalizeStr,
+  toInitials,
+  toPinyinText,
 } from "@/utils/pluginSearch";
 import axios from "axios";
 import { computed, onMounted, onUnmounted, reactive, ref, watch } from "vue";
@@ -37,13 +38,6 @@ export const useExtensionPage = () => {
   const router = useRouter();
   const route = useRoute();
 
-  const getSelectedGitHubProxy = () => {
-    if (typeof window === "undefined" || !window.localStorage) return "";
-    return localStorage.getItem("githubProxyRadioValue") === "1"
-      ? localStorage.getItem("selectedGitHubProxy") || ""
-      : "";
-  };
-
   // 检查指令冲突并提示
   const conflictDialog = reactive({
     show: false,
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index 596cdb25d8..eb0590b596 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -1752,6 +1752,123 @@ async def test_plugin_page_content_blocks_path_traversal(
     assert response.status_code == 404
 
 
+@pytest.mark.asyncio
+async def test_plugin_readme_returns_default_branch_github_raw_base(
+    app: Quart,
+    core_lifecycle_td: AstrBotCoreLifecycle,
+    authenticated_header: dict,
+    registered_plugin_page: StarMetadata,
+):
+    plugin_root = Path(registered_plugin_page.root_dir_name)
+    plugin_dir = Path(core_lifecycle_td.plugin_manager.plugin_store_path) / plugin_root
+    (plugin_dir / "README.md").write_text(
+        "# Demo\n![logo](images/logo.svg)\n",
+        encoding="utf-8",
+    )
+    registered_plugin_page.repo = "https://github.com/AstrBotDevs/AstrBot.git"
+
+    test_client = app.test_client()
+    response = await test_client.get(
+        f"/api/plugin/readme?name={PLUGIN_PAGE_DEMO_NAME}",
+        headers=authenticated_header,
+    )
+    data = await response.get_json()
+
+    assert response.status_code == 200
+    assert data["status"] == "ok"
+    assert data["data"]["content"].startswith("# Demo")
+    assert (
+        data["data"]["github_raw_base"]
+        == "https://github.com/AstrBotDevs/AstrBot/raw/HEAD"
+    )
+
+
+@pytest.mark.parametrize(
+    "repo_url",
+    [
+        None,
+        123,
+        "",
+        "https://github.com/./AstrBot",
+        "https://github.com/../AstrBot",
+        "https://github.com/AstrBotDevs/.",
+        "https://github.com/AstrBotDevs/..",
+    ],
+)
+def test_plugin_readme_github_raw_base_rejects_invalid_repo_url(repo_url):
+    route = PluginRoute.__new__(PluginRoute)
+
+    assert route._build_github_raw_base(repo_url) is None
+
+
+def test_plugin_readme_github_raw_base_accepts_www_github_repo_url():
+    route = PluginRoute.__new__(PluginRoute)
+
+    assert (
+        route._build_github_raw_base("https://www.github.com/AstrBotDevs/AstrBot.git")
+        == "https://github.com/AstrBotDevs/AstrBot/raw/HEAD"
+    )
+
+
+@pytest.mark.asyncio
+async def test_plugin_readme_asset_serves_image_from_plugin_root(
+    app: Quart,
+    authenticated_header: dict,
+    registered_plugin_page: StarMetadata,
+):
+    test_client = app.test_client()
+    response = await test_client.get(
+        f"/api/plugin/asset?name={PLUGIN_PAGE_DEMO_NAME}&path=pages/{PLUGIN_PAGE_DEMO_PAGE_NAME}/images/logo.svg",
+        headers=authenticated_header,
+    )
+    content = (await response.get_data()).decode("utf-8")
+
+    assert response.status_code == 200
+    assert response.headers["Content-Type"].startswith("image/svg+xml")
+    assert response.headers["Content-Security-Policy"] == "default-src 'none'"
+    assert "<svg" in content
+
+
+@pytest.mark.asyncio
+async def test_plugin_readme_asset_rejects_dashboard_token_query(
+    app: Quart,
+    authenticated_header: dict,
+    registered_plugin_page: StarMetadata,
+):
+    token = authenticated_header["Authorization"].removeprefix("Bearer ")
+    test_client = app.test_client()
+    response = await test_client.get(
+        "/api/plugin/asset",
+        query_string={
+            "name": PLUGIN_PAGE_DEMO_NAME,
+            "path": f"pages/{PLUGIN_PAGE_DEMO_PAGE_NAME}/images/logo.svg",
+            "token": token,
+        },
+    )
+
+    assert response.status_code == 401
+
+
+@pytest.mark.asyncio
+async def test_plugin_readme_asset_blocks_non_images_and_path_traversal(
+    app: Quart,
+    authenticated_header: dict,
+    registered_plugin_page: StarMetadata,
+):
+    test_client = app.test_client()
+    non_image_response = await test_client.get(
+        f"/api/plugin/asset?name={PLUGIN_PAGE_DEMO_NAME}&path=pages/{PLUGIN_PAGE_DEMO_PAGE_NAME}/app.js",
+        headers=authenticated_header,
+    )
+    traversal_response = await test_client.get(
+        f"/api/plugin/asset?name={PLUGIN_PAGE_DEMO_NAME}&path=../README.md",
+        headers=authenticated_header,
+    )
+
+    assert non_image_response.status_code == 404
+    assert traversal_response.status_code == 404
+
+
 @pytest.mark.asyncio
 async def test_logout_clears_cookie_for_plugin_page(
     app: Quart,