baoyu-url-to-markdown

[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] Functionally coherent skill: fetch a web page via Chrome CDP and convert to markdown, with a legitimate wait-for-user mode to capture authenticated pages. Main security concerns are supply-chain download-execute via `npx -y bun` (untrusted/unpinned runtime install) and the ability to load a user Chrome profile or data directory which can expose cookies/session data. No explicit malicious code in the provided text, but the described distribution/execution pattern and profile access are high-risk vectors and warrant caution and code audit before use. LLM verification: The skill appears to implement its stated functionality (render a URL via Chrome CDP and convert it to Markdown). No explicit malicious behaviors (exfiltration endpoints, hardcoded credentials, reverse shells) are visible in the provided documentation. Notable security and supply-chain risks: (1) Examples encourage 'npx -y bun' (download-and-execute supply-chain risk); (2) support for loading a real Chrome profile and reading user-level EXTEND.md increases the chance of capturing sensitive/authe