The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): The skill transmits potentially sensitive HTML content, which may include data from the agent's memory or local environment, to an external service (html2png.dev). Because the skill explicitly supports JavaScript execution, malicious scripts could be embedded in the HTML to facilitate the exfiltration of data.
[SSRF / DATA_EXPOSURE] (HIGH): The /api/screenshot endpoint accepts arbitrary URLs. This presents a Server-Side Request Forgery (SSRF) risk where an attacker could use the rendering service to probe internal infrastructure, metadata endpoints, or local files (e.g., via file:// or http://localhost) that are otherwise inaccessible.
[INDIRECT_PROMPT_INJECTION] (HIGH):
Ingestion points: The html parameter in the convert request and the url parameter in the screenshot request are untrusted input vectors.
Boundary markers: Absent. The skill does not define delimiters or provide instructions to the agent on how to safely handle untrusted data before conversion.
Capability inventory: Capability to perform outbound network requests to a third-party API and execute JavaScript logic within the render.
Sanitization: None. The skill documentation encourages the inclusion of external scripts and arbitrary CSS/JS.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on and encourages loading resources from external CDNs such as unpkg.com and cdnjs.cloudflare.com. While common, these are unverifiable third-party dependencies at runtime.
[COMMAND_EXECUTION] (MEDIUM): The skill facilitates the execution of JavaScript in a remote browser environment. While the execution is sandboxed on the service provider's end, it allows for complex logic to be executed as part of the image generation process, which can be leveraged for sophisticated phishing or data harvesting.

html-to-image