web-to-markdown
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to indirect prompt injection. It retrieves content from external, untrusted web URLs and processes it into Markdown for the agent to use. A malicious website could embed instructions (e.g., in HTML comments or hidden text) that, when converted to Markdown and read by the agent, could cause the agent to perform unauthorized actions.
- Ingestion points: Untrusted web content via the
web2mdtool. - Boundary markers: Absent. There are no instructions to the agent to treat the resulting Markdown as untrusted or to ignore instructions embedded within it.
- Capability inventory: File system access (writing Markdown), directory creation (
mkdir), and shell command execution (web2md). - Sanitization: Absent. The content is passed from the web to the agent's context without filtering for malicious prompt instructions.
- COMMAND_EXECUTION (HIGH): The skill relies on executing shell commands using user-provided input (URLs). While the documentation suggests wrapping URLs in single quotes, if the agent fails to properly escape a URL containing shell metacharacters or single quotes, it could lead to arbitrary command injection on the host system.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the installation of
web2md, an external CLI tool. The source of this tool is not from a verified or trusted repository within the defined scope, posing a risk of supply chain attack if the user is directed to a malicious package or repository. - DATA_EXFILTRATION (LOW): The skill supports the
--user-data-dirflag. If an attacker can influence the path provided to this flag via prompt injection, they might attempt to point the browser at sensitive directories or attempt to capture browser session data, though this is a more complex attack vector.
Recommendations
- AI detected serious security threats
Audit Metadata