The Agent Skills Directory

[DATA_EXFILTRATION]: The script scripts/md_to_renaissance_html.mjs allows reading arbitrary files from the local filesystem. The --input argument is passed directly to fs.readFileSync without validation, allowing access to any file the agent has permissions to read. Additionally, the image embedding feature in toDataUrl uses fs.readFileSync on paths extracted from Markdown image syntax ![alt](path). An attacker can exploit this by including sensitive paths (e.g., ![config](file:///etc/passwd)) which the script will convert to Base64 and embed in the output HTML.
[EXTERNAL_DOWNLOADS]: The script performs unvalidated network requests to fetch images. The fetch(imageUrl) call in toDataUrl will attempt to download content from any URL provided in the Markdown. This can be used for Server-Side Request Forgery (SSRF) or to leak execution context to an external listener.
[PROMPT_INJECTION]: The skill processes untrusted Markdown data from external sources and possesses significant capabilities including file system access and network operations. It lacks boundary markers or sanitization for the Markdown content, creating an attack surface for indirect prompt injection where malicious instructions embedded in a processed document could influence the agent's behavior. Evidence includes ingestion via stdin and the --input flag in scripts/md_to_renaissance_html.mjs without sufficient isolation between data and command context.

renaissance-md-html