preview-md
Fail
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The local HTTP server started by
scripts/preview-md.mjsexposes an/api/fileendpoint that takes apathparameter and returns the full content of the file. There is no path validation or sandboxing, meaning any file on the system accessible to the agent process (such as SSH keys, configuration files, or credentials) can be read via this endpoint. - [COMMAND_EXECUTION]: The hook script
scripts/md-notify.shextracts the file path from tool outputs and interpolates it directly into a suggested command string (python3 .../md-preview.py "$file_path"). If a file path contains shell metacharacters (e.g.,;,&,|), it could lead to arbitrary command execution if the agent follows the instruction literally. - [COMMAND_EXECUTION]: The preview scripts use
child_process.execin Node.js andwebbrowser.openin Python to launch the default system browser with dynamically generated URLs and file paths. - [EXTERNAL_DOWNLOADS]: The skill performs an update check by fetching a version file from a remote GitHub repository (
https://raw.githubusercontent.com/312362115/claude/main/skills/preview-md/VERSION). - [PROMPT_INJECTION]: The
SKILL.mdinstructions include mandatory triggers ("MUST trigger this skill", "不可跳过原则") that attempt to override the agent's autonomy and decision-making regarding when to use the tool, insisting that the agent cannot skip the preview step based on its own judgment. - [DATA_EXFILTRATION]: The Markdown rendering implementation in both Python and Node.js lacks HTML sanitization. A malicious Markdown file containing
<script>tags could execute JavaScript in the user's browser context. Combined with the/api/fileendpoint, this could be used to exfiltrate local data if the server port is known or guessed.
Recommendations
- AI detected serious security threats
Audit Metadata