web-to-markdown
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill ingests data from external websites, creating a potential vector for indirect prompt injection where malicious instructions embedded in a web page could influence the agent's downstream tasks.
- Ingestion points: Web content is fetched from arbitrary URLs in
scripts/scrape-and-convert.tsusing Playwright. - Boundary markers: The skill formats output with URL headers but does not explicitly instruct the agent to ignore directions found within the scraped content.
- Capability inventory: The skill uses
Bashto runpnpm tsx, can write to the local filesystem (docs/web-captures/), and has network access via the headless browser. - Sanitization: The scraping process removes
script,style, andnoscripttags to prevent browser-side code execution but does not filter the text for natural language prompt injection patterns. - [Unverifiable Dependencies & Remote Code Execution] (SAFE): The skill installs Playwright and browser binaries from Microsoft repositories, which is considered a trusted source.
- Evidence:
SKILL.mdinstructions andpackage.jsondependencies point to standard, reputable packages and official installation methods.
Audit Metadata