Skills
skills/naohainezha/skill/baoyu-url-to-markdown/Gen Agent Trust Hub

baoyu-url-to-markdown

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill's primary function is to ingest external, untrusted content from the internet and present it to the agent. This content can contain malicious instructions designed to hijack the agent's logic. \n
  • Ingestion points: The scripts/main.ts file accepts arbitrary URLs via the command line and fetches their full content using Chrome. \n
  • Boundary markers: No boundary markers or clear delimiters are used to separate the untrusted web content from the agent's system instructions in the resulting markdown output. \n
  • Capability inventory: The script has the capability to write files (writeFile) and create directories (mkdir) on the host system. \n
  • Sanitization: The tool converts HTML to Markdown, which does not sanitize or filter malicious natural language instructions. \n- External Downloads & RCE (MEDIUM): The skill instructions in SKILL.md use npx -y bun to execute scripts. This command automatically downloads and runs the bun runtime if it is not present, which is a form of remote code acquisition. \n- Command Execution (LOW): The skill executes local TypeScript files using the bun runtime, which involves spawning subprocesses and direct system interaction. \n- Missing Source Files (INFO): The files scripts/cdp.js and scripts/html-to-markdown.js are referenced but missing from the package. This prevents an audit of how the browser is controlled and how the HTML parsing is performed.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 07:54 AM