The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill processes untrusted external data (Markdown files) and provides a path for malicious instructions to influence the agent's output or environment.
Ingestion points: The script scripts/md_to_pdf.py reads the entire content of a user-provided file via input_path.read_text().
Boundary markers: Absent. There are no delimiters or instructions to the agent to disregard instructions contained within the Markdown content.
Capability inventory: The skill can write files to the local filesystem via HTML.write_pdf().
Sanitization: Absent. The build_html function uses the markdown library without a sanitizer, and weasyprint renders the resulting HTML/CSS without restricting resource fetching.
[Data Exposure] (HIGH): WeasyPrint, the rendering engine used, by default follows URI schemes including file://. An attacker can craft a Markdown file containing HTML tags like <img src="file:///etc/passwd">. When processed, WeasyPrint will attempt to read the local file and embed its contents into the generated PDF, leading to sensitive data exposure.
[External Downloads] (LOW): The skill installs two third-party Python packages (markdown and weasyprint) from PyPI. While these are standard packages, the instructions to apply a proxy before installation are unusual but not inherently malicious.

markdown-to-pdf