md2word
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/chart_handler.pyexecutes the Mermaid CLI (mmdc) usingsubprocess.runto render diagrams into images. Although the command uses a list format to avoid shell injection, it still involves executing an external process based on the content of the input file. - [EXTERNAL_DOWNLOADS]: In
scripts/md2word.py, the skill utilizesurllib.request.urlopento download images from external HTTP/HTTPS URLs provided within the Markdown document. This functionality allows the skill to fetch content from non-whitelisted domains. - [DATA_EXFILTRATION]: The image download mechanism could be exploited for Server-Side Request Forgery (SSRF) or data exfiltration if the tool is instructed to process a malicious Markdown file containing specially crafted URLs designed to probe internal networks or leak information.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it processes untrusted Markdown data while possessing powerful capabilities such as network access and command execution.
- Ingestion points: Untrusted data enters the agent's context through the Markdown file provided as input to
scripts/md2word.py. - Boundary markers: No boundary markers or specific instructions are provided to the agent to disregard instructions embedded within the Markdown content.
- Capability inventory: The skill includes network access (
scripts/md2word.py), subprocess execution (scripts/chart_handler.py), and file system write operations (scripts/md2word.py). - Sanitization: The skill lacks sanitization of the input Markdown data, allowing all included URLs and chart code to be processed as defined.
Audit Metadata