baoyu-url-to-markdown
Warn
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill lacks validation for the input URL in
scripts/main.ts. This allows the tool to fetch sensitive local files (e.g.,file:///etc/passwd,file:///Users/user/.ssh/id_rsa) or internal network resources, which are then converted to Markdown and returned to the agent's context. - [COMMAND_EXECUTION]: The script
scripts/cdp.tsuseschild_process.spawnto launch browser executables found on the system. While it targets known browser paths, it passes the unvalidated user-provided URL directly as a command-line argument. - [EXTERNAL_DOWNLOADS]: The skill is designed to download content from arbitrary external URLs provided at runtime. While this is the intended functionality, it introduces a significant attack surface for ingesting malicious content.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from the web and presents it to the agent.
- Ingestion points: The
urlargument inscripts/main.tstriggers the fetch of external web content. - Boundary markers: Absent. The generated Markdown document includes YAML frontmatter but does not use clear delimiters or warnings to instruct the agent to ignore instructions within the fetched content.
- Capability inventory: The skill has the ability to spawn processes (
scripts/cdp.ts) and write files to the local filesystem (scripts/main.ts). - Sanitization:
scripts/html-to-markdown.tsremoves<script>and<style>tags, which prevents code execution in the browser, but it does not sanitize or filter natural language instructions that could trigger behavior in the AI agent.
Audit Metadata