baoyu-url-to-markdown
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted content from the web.
- Ingestion points: Web content from any user-provided URL is retrieved and converted to Markdown.
- Boundary markers: While it uses parsing libraries to strip active scripts, it does not use structural delimiters to separate external content from the agent's instructions.
- Capability inventory: The skill can execute shell commands, perform network requests, and write to the local filesystem.
- Sanitization: The skill relies on conversion libraries (Readability, Turndown) but does not sanitize text-based instructions found in webpage content.
- [DATA_EXFILTRATION]: The skill persists sensitive session cookies to the local filesystem and may share URLs with a remote service.
- Evidence:
scripts/vendor/baoyu-fetch/src/browser/cookie-sidecar.tsstores X/Twitterauth_tokenandct0credentials in local JSON files to maintain login state. - Evidence:
scripts/vendor/baoyu-fetch/src/extract/html-to-markdown.tsmay send the target URL tohttps://defuddle.mdas a fallback conversion mechanism. - [COMMAND_EXECUTION]: The skill executes shell commands to perform its core functions and monitor system processes.
- Evidence: It uses the
bunruntime to execute its internal CLI and invokesps auxto detect existing browser instances. - Evidence: On macOS, it uses
osascriptto activate browser applications during interactive sessions. - [EXTERNAL_DOWNLOADS]: The skill fetches external media files from the target webpages.
- Evidence:
scripts/vendor/baoyu-fetch/src/media/default-downloader.tsdownloads images and videos from arbitrary URLs found in the processed content and saves them to local directories.
Audit Metadata