Skills
skills/yelban/baoyu-skills.tw/baoyu-markdown-to-html/Gen Agent Trust Hub

baoyu-markdown-to-html

Warn

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The included library baoyu-md contains code in scripts/vendor/baoyu-md/src/utils/languages.ts that uses dynamic import() to fetch and execute JavaScript modules from a remote Aliyun OSS URL (cdn-doocs.oss-cn-shenzhen.aliyuncs.com). While this specific execution path appears to be dormant in the current CLI implementation, the presence of remote code execution capabilities based on user-provided input (markdown language tags) is a notable security concern.
  • [EXTERNAL_DOWNLOADS]: The skill implements an arbitrary file download capability via the downloadFile function in scripts/vendor/baoyu-md/src/images.ts. It fetches remote images referenced in the markdown content and saves them to the local filesystem (temporary or project directories) before embedding them in the final HTML.
  • [COMMAND_EXECUTION]: The skill requires the ability to execute TypeScript files via bun or npx, and performs standard file system operations such as reading input files, writing output HTML, and creating automated backups (fs.renameSync) in the user's workspace.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 16, 2026, 02:48 PM