beautiful-article

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses scripts/source-to-markdown.py and scripts/source-to-markdown-markitdown.py to fetch content from remote URLs provided by the user. While this is the intended purpose, it involves connecting to arbitrary external domains.
  • [REMOTE_CODE_EXECUTION]: During the project setup phase, scripts/scaffold.sh executes npm install reacticle@latest. This installs a third-party package from the npm registry. As the package and the skill share the same author ('ConardLi'), this is considered a vendor-owned resource.
  • [COMMAND_EXECUTION]: The skill relies on several shell scripts (scaffold.sh, html-to-pdf.sh) to manage the article workspace and generate PDF outputs. These scripts perform operations like file system manipulation, dependency installation via npm, and launching a headless browser for printing.
  • [DATA_EXFILTRATION]: The skill possesses an attack surface for indirect prompt injection as it processes untrusted source material (URLs, PDFs, documents) without explicit boundary markers or sanitization. This is mitigated by the harness structure and the intended use case, resulting in a low risk assessment.
  • Ingestion points: Untrusted data enters the agent context in Phase 1 via source extraction scripts (source-to-markdown.py).
  • Boundary markers: Absent; there are no specific delimiters to separate source content from agent instructions during processing.
  • Capability inventory: Subprocess calls (scaffold.sh, html-to-pdf.sh), file-writing to the workspace, and network operations for URL fetching.
  • Sanitization: No validation or filtering is applied to the extracted markdown before the agent processes it.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:14 AM
Security Audit — agent-trust-hub — beautiful-article