to-markdown
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands to install dependencies via
uv pipandplaywright install. These are documented setup steps for the environment. - [EXTERNAL_DOWNLOADS]: Fetches and installs Python packages from PyPI and downloads Chromium binaries from the Playwright project's official sources. These are well-known technology services and the downloads are part of standard tool configuration.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection (Category 8). It ingests untrusted data from arbitrary files and URLs to produce Markdown for LLM ingestion.
- Ingestion points: Processes local files (PDF, Word, Excel, etc.) and remote URLs through Trafilatura and Playwright (documented in
SKILL.mdandreferences/fetch.md). - Boundary markers: The instructions do not define specific delimiters or instructions to the agent to disregard commands found within the converted text.
- Capability inventory: The skill environment has capabilities for subprocess execution, network fetching, and file system writes.
- Sanitization: There is no evidence of sanitization or filtering applied to the extracted text content to prevent embedded instructions from being interpreted by an LLM in the pipeline.
Audit Metadata