summarize

================================================================================

🔴 VERDICT: HIGH

This skill presents a HIGH risk primarily due to a direct prompt injection vulnerability. User-supplied input via the --prompt argument is directly passed to the AI model, allowing an attacker to manipulate the LLM's behavior. Additionally, the skill relies on an external, unverified command-line tool (uvx markitdown) and executes a local Node.js script (to-markdown.mjs), which introduces risks of arbitrary command execution and potential data exfiltration if these components are malicious or compromised. The skill's ability to process arbitrary local files also creates a vector for sensitive data access.

Total Findings: 5

🔴 HIGH Findings: • Prompt Injection

• Line 30: node to-markdown.mjs <url-or-path> --summary --prompt "Summarize focusing on X, for audience Y. Extract Z."
• The --prompt argument directly passes user input to the pi --model claude-haiku-4-5 command, allowing for prompt injection.

🟡 MEDIUM Findings: • Unverifiable Dependency

• Line 16: uvx markitdown <url-or-path>
• The skill relies on uvx markitdown, an external command-line tool whose source code is not provided for analysis. This constitutes an unverifiable dependency. • Command Execution
• Line 16: uvx markitdown <url-or-path>
• The skill executes uvx markitdown and node to-markdown.mjs. If markitdown or to-markdown.mjs are malicious or contain vulnerabilities, this could lead to arbitrary command execution. • Data Exfiltration Potential
• Line 16: uvx markitdown <url-or-path>
• The skill can process arbitrary local files (<url-or-path>). While the skill itself doesn't explicitly exfiltrate data, a compromised markitdown tool or a malicious input could be crafted to read sensitive local files and potentially exfiltrate them via markitdown's network access capabilities (fetching URLs).

🔵 LOW Findings: • None

ℹ️ TRUSTED SOURCE References: • None

================================================================================