Skills
skills/michaelvessia/nixos-config/md-to-html/Gen Agent Trust Hub

md-to-html

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The script md-to-html.ts is vulnerable to shell command injection.
  • The runCommand function utilizes child_process.spawn with the { shell: true } option enabled.
  • The script constructs the shell command by interpolating the filePath variable, which is sourced directly from command-line arguments (process.argv[2]).
  • Although the script attempts to wrap the filePath in double quotes, it fails to escape existing quotes within the input. An attacker could provide a filename such as \"; touch /tmp/exploit; #.md\" to break out of the intended command and execute arbitrary shell instructions.
  • [EXTERNAL_DOWNLOADS] (LOW): The script includes a fallback mechanism that uses nix run nixpkgs#pandoc if the pandoc binary is not found. This results in the dynamic download and execution of software from the Nix repository at runtime.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:34 PM