url-to-markdown
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface identified. The skill ingests untrusted data from arbitrary URLs. \n
- Ingestion points: scripts/main.ts fetches external HTML content. \n
- Boundary markers: Absent; there are no instructions for the agent to ignore embedded instructions in the fetched content. \n
- Capability inventory: File system write access (writeFile), directory creation (mkdir), and browser automation via CDP. \n
- Sanitization: Only formatting-related sanitization is performed; it lacks safety-focused sanitization to prevent prompt injection. \n- [DATA_EXFILTRATION] (MEDIUM): Sensitive data access. The skill resolves and uses paths to Chrome profile directories (scripts/paths.ts). These directories contain sensitive information such as browser cookies and session tokens. \n- [COMMAND_EXECUTION] (MEDIUM): Unverifiable code logic. The file scripts/cdp.js is referenced but missing from the package. This prevents auditing the browser launch parameters (e.g., sandbox settings) and the CDP command implementation. \n- [EXTERNAL_DOWNLOADS] (LOW): Dependency management. The skill uses 'npx -y bun', which may trigger downloads from the public npm registry at runtime.
Audit Metadata