Skills
skills/azure12355/weilan-skills/baoyu-markdown-to-html/Gen Agent Trust Hub

baoyu-markdown-to-html

Fail

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The file scripts/md/utils/languages.ts uses dynamic import() to fetch and execute language definitions from a remote CDN (cdn-doocs.oss-cn-shenzhen.aliyuncs.com), allowing for arbitrary code execution if the remote source is compromised.
  • [COMMAND_EXECUTION]: The main script scripts/main.ts executes shell commands using spawnSync to run the rendering process and manage dependencies via npx and bun.
  • [EXTERNAL_DOWNLOADS]: The downloadFile function in scripts/main.ts fetches content from arbitrary external URLs provided within the input Markdown and saves them to a local temporary directory.
  • [EXTERNAL_DOWNLOADS]: The skill triggers external downloads from the npm registry during execution through the use of npx -y.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 9, 2026, 11:41 PM