markdown-new
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill possesses a significant attack surface for indirect prompt injection attacks.
- Ingestion points: The
scripts/markdown_new_fetch.pyscript fetches content from arbitrary, user-supplied URLs viaurllib.request.urlopen. - Boundary markers: The skill supports wrapping content in
<url>tags when using the--deliver-mdflag. However, these are weak delimiters and do not prevent an LLM from processing or obeying instructions embedded within the fetched markdown. - Capability inventory: The skill can write data to the local filesystem (
--outputflag) and create directories (path.parent.mkdir). This capability could be exploited if an ingested instruction directs the agent to overwrite sensitive local files. - Sanitization: The script performs no sanitization or filtering of the content returned by the external service before it is presented to the agent or written to disk.
- Data Exposure & Exfiltration (LOW): The script communicates with
https://markdown.new/, which is not on the trusted domain whitelist. While this is the primary purpose of the skill, it represents a network communication point for potentially sensitive URLs. - Command Execution (LOW): The skill allows the agent to write files to arbitrary paths and create directories. While intended for saving markdown, a compromised or confused agent could use this to clutter the filesystem or overwrite files if strict path validation is not enforced by the host environment.
Audit Metadata