beautiful-article
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
scripts/source-to-markdown.pyandscripts/source-to-markdown-markitdown.pyto fetch content from remote URLs provided by the user. While this is the intended purpose, it involves connecting to arbitrary external domains. - [REMOTE_CODE_EXECUTION]: During the project setup phase,
scripts/scaffold.shexecutesnpm install reacticle@latest. This installs a third-party package from the npm registry. As the package and the skill share the same author ('ConardLi'), this is considered a vendor-owned resource. - [COMMAND_EXECUTION]: The skill relies on several shell scripts (
scaffold.sh,html-to-pdf.sh) to manage the article workspace and generate PDF outputs. These scripts perform operations like file system manipulation, dependency installation vianpm, and launching a headless browser for printing. - [DATA_EXFILTRATION]: The skill possesses an attack surface for indirect prompt injection as it processes untrusted source material (URLs, PDFs, documents) without explicit boundary markers or sanitization. This is mitigated by the harness structure and the intended use case, resulting in a low risk assessment.
- Ingestion points: Untrusted data enters the agent context in Phase 1 via source extraction scripts (
source-to-markdown.py). - Boundary markers: Absent; there are no specific delimiters to separate source content from agent instructions during processing.
- Capability inventory: Subprocess calls (
scaffold.sh,html-to-pdf.sh), file-writing to the workspace, and network operations for URL fetching. - Sanitization: No validation or filtering is applied to the extracted markdown before the agent processes it.
Audit Metadata