md2word
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/chart_handler.pyexecutes shell commands to render Mermaid diagrams. - Evidence: It calls
subprocess.run()to execute themmdc(Mermaid CLI) command. - Safety Context: The command is constructed using a list of arguments rather than a raw shell string, and
shell=Trueis not used, which follows security best practices to prevent command injection. The execution is gated by the presence of a local Mermaid installation. - [EXTERNAL_DOWNLOADS]: The main script
scripts/md2word.pydownloads images from external URLs provided in the Markdown source. - Evidence: The
download_external_imagefunction usesurllib.request.urlopento fetch remote image data. - Safety Context: This is a documented primary feature (v0.5.0) intended to allow users to embed remote images into their Word documents. It includes a standard User-Agent and a 20-second timeout to prevent hanging or basic request blocking.
- [SAFE]: The skill uses
yaml.safe_loadinscripts/config.pyfor parsing configuration files, which prevents arbitrary code execution during YAML deserialization. - [SAFE]: Recommended dependencies (python-docx, Pillow, beautifulsoup4, PyYAML, and @mermaid-js/mermaid-cli) are well-known, standard libraries from official registries (PyPI and NPM).
Audit Metadata