web-to-markdown
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill provides command templates like
web2md '<url>'. This is susceptible to shell injection if a URL contains unescaped single quotes, potentially allowing an attacker to execute arbitrary commands on the host system. - EXTERNAL_DOWNLOADS (LOW): The skill recommends installing a local package using
npm installin a specific path (~/workspace/softaworks/projects/web2md). This path is not verified, and running install commands on untrusted local code can lead to execution of malicious lifecycle scripts. - PROMPT_INJECTION (LOW): The skill uses specific phrases as trigger gates. While intended to restrict use, these instructions are part of the prompt and rely on the model's adherence to those specific instructions.
- DATA_EXPOSURE (LOW): The skill allows the agent to specify filesystem paths via
--user-data-dirand--chrome-path. This could be exploited to read sensitive files or execute different binaries if inputs are not strictly validated. - INDIRECT_PROMPT_INJECTION (LOW): The skill's primary function is to process untrusted web content and return it to the agent, creating a large attack surface for indirect prompt injection.
- Ingestion points: Fetches content from external URLs provided by the user via the
web2mdexecution defined inSKILL.md. - Boundary markers: Absent; the converted Markdown is returned without delimiters or warnings.
- Capability inventory: Shell command execution (
web2md,mkdir,ls,wc) and file writing capabilities defined inSKILL.md. - Sanitization: No sanitization or filtering of the retrieved web content is performed before it is presented to the agent.
Audit Metadata