Skills
skills/tukuaiai/vibe-coding-cn/markdown-to-epub/Gen Agent Trust Hub

markdown-to-epub

Warn

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/build_epub.py executes the external ebook-convert binary using subprocess.run. While the use of a list for arguments mitigates shell injection, the binary path itself is configurable via the --ebook-convert-bin flag, which could be abused if an attacker influences the command-line arguments.
  • [DATA_EXFILTRATION]: The image resolution logic in the resolve_source_file function is vulnerable to path traversal. It uses .resolve() on paths extracted from the Markdown file without verifying that the resulting path is contained within the intended source_root. This allows the script to read arbitrary files accessible to the user (e.g., ![](../../.ssh/id_rsa)) and copy them into the build_epub/assets directory.
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection via its data ingestion points.
  • Ingestion points: Reads and processes user-provided Markdown files and an optional fallback JSON map.
  • Boundary markers: Absent; there are no delimiters or instructions to prevent the agent or the conversion tool from interpreting malicious content within the Markdown as instructions.
  • Capability inventory: The skill has the capability to execute subprocesses, read/write files, and delete directories via shutil.rmtree.
  • Sanitization: Absent; the script does not sanitize Markdown content or validate that file paths remain within a sandboxed directory.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 03:25 AM