baoyu-markdown-to-html
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill dynamically loads and executes JavaScript modules for syntax highlighting from a remote Aliyun OSS bucket (
https://cdn-doocs.oss-cn-shenzhen.aliyuncs.com/npm/highlightjs/...) using theimport()function inscripts/md/utils/languages.ts. This bypasses standard dependency management and allows for arbitrary code execution from a non-standard source. - [DYNAMIC_EXECUTION]: The script
scripts/main.tsuseschild_process.spawnSyncto executenpx -y bunon an internal rendering script. While intended for processing, this mechanism increases the attack surface for command manipulation. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill performs outbound network requests to download image files from arbitrary URLs found in the markdown input (via
scripts/main.ts) and to fetch SVG content for PlantUML diagrams. These operations can be exploited for Server-Side Request Forgery (SSRF) or tracking. - [INDIRECT_PROMPT_INJECTION]: The skill processes external markdown content which can contain malicious instructions intended to trick the agent if it evaluates the generated HTML or intermediate results.
- Ingestion points: Reads markdown files from the local file system using
fs.readFileSyncinscripts/main.ts. - Boundary markers: None. Content is processed without delimiters to separate user data from agent instructions.
- Capability inventory: Subprocess execution (
spawnSync), network downloads (https.get), and file system write access. - Sanitization: There is no significant sanitization of the input markdown content before it is passed to the rendering engine.
Recommendations
- AI detected serious security threats
Audit Metadata