Skills
skills/stonehah/qunz-skills/baoyu-url-to-markdown/Gen Agent Trust Hub

baoyu-url-to-markdown

Fail

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [DATA_EXFILTRATION]: The skill allows fetching any URL provided as an argument, which includes support for the file:// scheme and internal network addresses (e.g., 127.0.0.1, 169.254.169.254). An attacker or a malicious prompt could trigger the agent to read sensitive local files (like /etc/passwd or SSH keys) or internal cloud metadata, which are then converted to Markdown and exposed to the agent.
  • [DATA_EXFILTRATION]: The skill's output path can be controlled via the -o or --output command-line flags. There is no validation to ensure the path is within a restricted directory, potentially allowing the skill to overwrite sensitive system files if the agent is running with sufficient permissions.
  • [COMMAND_EXECUTION]: The skill spawns a Chrome/browser process using node:child_process. While the arguments are mostly static, the executable path can be overridden by the URL_CHROME_PATH environment variable. If an attacker can influence the environment, they could redirect this to a malicious binary.
  • [PROMPT_INJECTION]: The skill acts as a data ingestion point for the agent, fetching untrusted content from the web and converting it to Markdown. This is a classic surface for Indirect Prompt Injection, where a website can include hidden instructions to manipulate the agent's future actions.
  • Ingestion points: scripts/main.ts via the captureUrl function which fetches any user-provided URL.
  • Boundary markers: Absent. The resulting Markdown content is not wrapped in protective delimiters or accompanied by instructions for the agent to ignore embedded commands.
  • Capability inventory: The skill (and the agent using it) has the ability to write files (node:fs/promises), execute shell commands (node:child_process), and perform network operations.
  • Sanitization: Partial. The skill uses linkedom and Readability to clean HTML, removing script, style, and iframe tags, which mitigates technical exploits but not natural language instructions.
  • [EXTERNAL_DOWNLOADS]: The skill documentation suggests using npx -y bun, which dynamically downloads the Bun runtime from the npm registry if it is not present on the host system.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 4, 2026, 09:58 AM