baoyu-format-markdown
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The applyAutocorrect function in scripts/autocorrect.ts uses execSync with a template literal to execute a command. The filePath variable is interpolated directly into the shell string without sanitization. Evidence: execSync(
npx autocorrect-node --fix "${filePath}", { stdio: "inherit" }) in scripts/autocorrect.ts. Because the filePath is taken from command line arguments in scripts/main.ts, an attacker could provide a malicious path (e.g., test.md"; malicious_command; #) to execute arbitrary system commands with the permissions of the agent. - [EXTERNAL_DOWNLOADS] (MEDIUM): The use of npx in scripts/autocorrect.ts executes a package from the npm registry at runtime, which is an unverifiable dependency pattern. Evidence: npx autocorrect-node.
- [PROMPT_INJECTION] (LOW): The skill processes untrusted markdown data through readFileSync in scripts/main.ts, creating an indirect prompt injection surface. Evidence Chain: 1. Ingestion: readFileSync (scripts/main.ts); 2. Boundary markers: Absent; 3. Capability inventory: execSync (scripts/autocorrect.ts), writeFileSync (scripts/main.ts); 4. Sanitization: Absent. Malicious instructions inside a file could potentially be parsed and influences the agent if the agent interprets the formatted markdown as instructions.
Recommendations
- AI detected serious security threats
Audit Metadata