md2pdf
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to process external Markdown files (
input.md) and custom CSS. PDF engines like WeasyPrint often interpret HTML/CSS within Markdown. If the input source is untrusted (e.g., a web page summary or user-provided file), an attacker could use tags like , , or CSS @import to read local files (e.g., /etc/passwd) or make internal network requests. - Ingestion Point:
scripts/md2pdf.pyvia theinput.mdand--stylearguments. - Boundary Markers: None. The skill documentation does not mention sanitizing input or using WeasyPrint's 'base_url' or 'url_fetcher' restrictions.
- Capability Inventory: File write (
output.pdf), shell execution viauv runandchmod. - Sanitization: None evident; the script likely passes raw content to the rendering engine.
- Privilege Escalation (MEDIUM): The documentation instructs the user/agent to use
sudo apt installandchmod +x. While common for setup, an autonomous agent executing these could compromise host security. - Dynamic Execution (MEDIUM): The skill claims to 'automatically configure Homebrew library paths' on macOS. This typically involves modifying
DYLD_LIBRARY_PATHor similar environment variables at runtime, which can be used for library hijacking or process injection if not strictly controlled.
Recommendations
- AI detected serious security threats
Audit Metadata