baoyu-url-to-markdown
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection. The skill ingests untrusted data from external URLs (main.ts) and converts it to Markdown. Evidence: 1. Ingestion point: args.url in main.ts. 2. Boundary markers: Absent. 3. Capability inventory: Local browser execution (main.ts) and file system writes (main.ts). 4. Sanitization: html-to-markdown.ts removes structural tags like but preserves the text content which can contain malicious instructions.
- [COMMAND_EXECUTION] (HIGH): The skill launches a local Chrome process via CDP (main.ts). This presents a significant attack surface if the browser rendering engine is exploited by malicious web content.
- [DATA_EXFILTRATION] (MEDIUM): SSRF vulnerability. The skill can be directed to fetch and render internal network resources (e.g., localhost or cloud metadata services), exposing internal data as Markdown to the agent.
- [EXTERNAL_DOWNLOADS] (LOW): The skill documentation (SKILL.md) recommends using npx -y bun, which downloads the Bun runtime from the npm registry at execution time.
Recommendations
- AI detected serious security threats
Audit Metadata