md2pdf
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill directly executes shell commands involving
pandocandpdflatex. It includes shell loops for batch processing (for file in docs/*.md; do ...), which, while functional, can be risky if file names are maliciously crafted or if the agent executes these without verifying the target directory. - REMOTE_CODE_EXECUTION (MEDIUM): The troubleshooting section suggests using the flag
--pdf-engine-opt=-shell-escape. In LaTeX environments,shell-escapeallows the TeX engine to execute arbitrary shell commands. If an attacker provides a markdown file containing malicious LaTeX code (e.g.,\write18{...}), enabling this flag would allow full system compromise during the conversion process. - INDIRECT PROMPT INJECTION (LOW): The skill is vulnerable to indirect prompt injection due to the way it processes external data.
- Ingestion points: Reads and processes markdown files such as
input.mdanddocs/*.mdprovided by the user or found in the environment. - Boundary markers: Absent. The instructions do not define delimiters for the markdown content or instruct the agent to ignore instructions embedded within the files.
- Capability inventory: Uses
pandocto process files, which supports filters and LaTeX engines capable of executing system commands or reading other local files. - Sanitization: Absent. There is no validation or sanitization of the markdown content before it is passed to the PDF engine.
Audit Metadata