web-to-markdown
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the agent to install and build a local Node.js project from a hardcoded path (
~/workspace/softaworks/projects/web2md). This is a supply chain risk; if an attacker can write to this directory, the agent will execute malicious code during thenpm installornpm run buildphases. - [COMMAND_EXECUTION] (LOW): The skill executes shell commands using user-supplied URLs. While URLs are wrapped in single quotes to mitigate simple shell injection, the skill also supports sensitive browser flags like
--no-sandbox(which weakens process isolation) and--user-data-dir(which grants the tool access to persistent browser profiles, potentially including session cookies and saved passwords). - [PROMPT_INJECTION] (LOW): The skill has a high surface for Indirect Prompt Injection.
- Ingestion points: Fetches content from arbitrary URLs via Puppeteer.
- Boundary markers: None. The Markdown output is returned directly to the agent context without delimiters or warnings to ignore embedded instructions.
- Capability inventory: The agent has capabilities to run shell commands (
web2md,mkdir,ls). - Sanitization: Uses Mozilla Readability and Turndown to clean HTML, but these libraries do not filter for malicious natural language instructions embedded in the page text.
Audit Metadata