Skills
skills/ideacco/baoyu-skills-openclaw/baoyu-markdown-to-html/Gen Agent Trust Hub

baoyu-markdown-to-html

Fail

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script scripts/md/utils/languages.ts uses dynamic import() to fetch and execute JavaScript language grammars from a remote Alibaba Cloud CDN (https://cdn-doocs.oss-cn-shenzhen.aliyuncs.com) at runtime.
  • [EXTERNAL_DOWNLOADS]: The downloadFile function in scripts/main.ts is designed to fetch files from any URL found within the processed Markdown content and save them to the local file system.
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md suggest using npx -y bun, which involves dynamically downloading and running the Bun executable to perform the conversion tasks.
  • [DATA_EXFILTRATION]: In scripts/md/extensions/plantuml.ts, the skill sends user-provided diagram code to an external server (https://www.plantuml.com/plantuml) for processing and rendering, which results in the exposure of that data to a third party.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 12, 2026, 07:52 AM