The Agent Skills Directory

[Indirect Prompt Injection] (MEDIUM): The skill is vulnerable to indirect prompt injection through the files it processes.
Ingestion points: scripts/markdown_converter.py reads untrusted data from the input_path (Markdown content) and the custom_css path.
Boundary markers: Absent. Content is directly read and formatted into the HTML_TEMPLATE string without delimiters or instructions to ignore embedded commands.
Capability inventory: The script performs file system read/write operations and generates content that may be interpreted by other agents or displayed to users.
Sanitization: Absent. The markdown library is used with its default configuration, which does not strip raw HTML or script tags. Malicious payloads (e.g., <script> tags or AI instructions) in the input files will be passed through to the output.
[Data Exposure & Exfiltration] (LOW): The tool allows reading of arbitrary local files if the path is provided as the input or css argument. While there is no automated network exfiltration, this could be used to render and expose sensitive local files (like configuration or credentials) into a more readable HTML/PDF format.

markdown-converter