web-to-markdown
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is vulnerable to shell command injection. User-supplied URLs are interpolated directly into shell commands within single quotes (e.g.,
web2md '<url>'). If a URL contains a single quote and shell metacharacters (e.g.,https://example.com' ; touch /tmp/pwned ; '), an attacker can execute arbitrary commands on the host system. \n- [REMOTE_CODE_EXECUTION] (MEDIUM): The instructions for installing the prerequisiteweb2mdtool involve runningnpm installandnpm run buildin a specific local directory (~/workspace/softaworks/projects/web2md). If an attacker can modify files in this directory, they can achieve arbitrary code execution when the agent attempts to set up the skill. \n- [PROMPT_INJECTION] (LOW): This skill exposes the agent to Indirect Prompt Injection. It fetches content from arbitrary external URLs and returns the resulting Markdown to the agent context without boundary markers or content sanitization. \n - Ingestion points: External web content fetched via
web2md. \n - Boundary markers: Absent; the content is directly integrated into the agent's context. \n
- Capability inventory: Shell execution (
npm,mkdir,web2md), filesystem access. \n - Sanitization: Only validates that the URL starts with
http://orhttps://. \n- [COMMAND_EXECUTION] (MEDIUM): The skill documentation suggests using the--no-sandboxflag for browser execution in certain environments. This disables Chromium's security sandbox, significantly increasing the risk of host compromise if the browser processes a malicious webpage.
Recommendations
- AI detected serious security threats
Audit Metadata