markdown-fetch
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/fetch.sh is vulnerable to command injection via the $URL parameter. It uses an unquoted heredoc (<<EOF) to build the JSON body, which allows the shell to evaluate any command substitutions within the URL before execution.
- [REMOTE_CODE_EXECUTION]: The script is vulnerable to remote command injection as it places data from the markdown.new API (like the title field) into another unquoted heredoc. Malicious data from the remote service can lead to arbitrary code execution.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. 1. Ingestion points: scripts/fetch.sh reads data from arbitrary URLs via curl. 2. Boundary markers: No delimiters or warnings are used to isolate fetched content. 3. Capability inventory: The skill can execute network requests and write to the filesystem. 4. Sanitization: None.
- [DATA_EXFILTRATION]: The identified command injection vulnerabilities can be exploited to access and exfiltrate sensitive local information, such as environment variables or credentials, by embedding shell commands into the processed data.
Recommendations
- AI detected serious security threats
Audit Metadata