The Agent Skills Directory

Indirect Prompt Injection (MEDIUM): The skill processes untrusted Markdown data which is rendered into PDF/HTML via pdfkit. Because Markdown allows embedded HTML, an attacker can include tags like <iframe src='file:///etc/passwd'> or <img src='http://internal-service/'> to exploit wkhtmltopdf for Local File Inclusion (LFI) or Server-Side Request Forgery (SSRF) during the generation process.
Data Exposure & Exfiltration (LOW): The batch_convert_images.py script possesses the capability to delete files from the local filesystem using old_path.unlink(). While intended for cleaning up WebP files after conversion, this destructive capability could be misused if the conversion plan is manipulated.
Privilege Escalation (LOW): The documentation (README.md and SKILL.md) instructs users to run system package managers with sudo (e.g., sudo apt-get install wkhtmltopdf), which involves high-privilege operations during setup.
Metadata Poisoning (INFO): The script update_markdown_refs.py contains a hardcoded path (node/网络与通信/netty.md) in its execution block. While not inherently malicious, it suggests a lack of sanitization in the skill's distribution and targets specific local directory structures.

markdown-to-pdf