baoyu-format-markdown
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill executes a shell command with an interpolated variable that is not properly sanitized for shell metacharacters.
- Evidence: In
scripts/autocorrect.ts, theapplyAutocorrectfunction callsexecSync("npx autocorrect-node --fix \"${filePath}\"", { stdio: "inherit" });. - Risk: If an attacker can control the
filePath(e.g., by providing a file with a name liketest.md"; touch exploit; "), they can execute arbitrary shell commands on the host system. - EXTERNAL_DOWNLOADS (LOW): The script uses
npxto execute external tools, which can lead to runtime code downloads. - Evidence: Usage of
npx autocorrect-nodeinscripts/autocorrect.ts. - Risk:
npxmay fetch and execute packages from the npm registry at runtime if they are not cached, introducing unverified third-party code. - PROMPT_INJECTION (LOW): The skill processes untrusted markdown content, creating a surface for indirect prompt injection.
- Ingestion points:
readFileSync(filePath, "utf-8")inscripts/main.tsreads the content of local markdown files. - Boundary markers: None. The skill parses the content directly into an AST and back to a string without using delimiters to isolate untrusted data.
- Capability inventory: The skill can write to the filesystem (
writeFileSync) and execute shell commands (execSync). - Sanitization: The script performs no validation or sanitization of the input file content or the file path variable used in the shell execution.
Audit Metadata