The Agent Skills Directory

[NO_CODE] (MEDIUM): The primary implementation file scripts/convert.cjs is missing from the skill. As this script handles the CLI arguments and the interaction with the PDF generation library, its absence prevents the verification of input validation and safe execution practices.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the installation of md-to-pdf, which automatically downloads a ~200MB Chromium binary via Puppeteer. Large binary downloads from external sources during package installation increase the attack surface and dependency risk.
[Indirect Prompt Injection] (LOW):
Ingestion points: The skill ingests untrusted content via markdown files specified by the --file argument.
Boundary markers: None. There are no instructions or delimiters to prevent the browser engine from interpreting embedded HTML or scripts within the markdown.
Capability inventory: The skill uses Puppeteer to render content, a capability that allows for network requests (SSRF) and script execution (XSS) if not strictly sandboxed.
Sanitization: Unknown. Due to the missing scripts/convert.cjs, it is impossible to determine if the skill applies any sanitization or uses Puppeteer's security features to mitigate risks from malicious markdown content.

markdown-to-pdf