url-to-markdown

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly accepts arbitrary http(s) URLs and scrapes them via the firecrawl pipeline (see SKILL.md "Provide a URL and capture the markdown from stdout" and scripts/url_to_markdown_scrape.sh which runs firecrawl ... scrape "$url"), so it fetches untrusted public web content and returns it for the agent to read and act on, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The docker-compose manifest generated at runtime pulls and builds remote artifacts—specifically the git build context "https://github.com/firecrawl/firecrawl.git#main:apps/nuq-postgres" and container images "ghcr.io/firecrawl/firecrawl:latest" and "ghcr.io/firecrawl/playwright-service:latest"—which will be fetched during docker compose up and result in execution of remote code that the skill requires to run.