The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill dynamically fetches and executes JavaScript from a remote Aliyun OSS bucket (cdn-doocs.oss-cn-shenzhen.aliyuncs.com) to load syntax highlighting definitions for programming languages. This occurs in scripts/md/utils/languages.ts via the import() function, using language identifiers extracted directly from user-provided markdown code blocks as part of the URL path.
[EXTERNAL_DOWNLOADS]: The skill makes several network requests to external domains. It fetches syntax highlighting CSS from cdn-doocs.oss-cn-shenzhen.aliyuncs.com in scripts/md/render.ts, and communicates with www.plantuml.com for diagram rendering in scripts/md/extensions/plantuml.ts. Additionally, it downloads remote images from any URL provided in the markdown source using scripts/main.ts.
[DATA_EXFILTRATION]: The image download functionality in scripts/main.ts (via downloadFile) does not restrict target domains or IP addresses. An attacker could provide a markdown file containing URLs pointing to internal services (e.g., http://localhost) or cloud metadata endpoints (e.g., 169.254.169.254), potentially exposing sensitive information from the local environment via SSRF.
[PROMPT_INJECTION]: The skill serves as a surface for indirect prompt injection as it processes untrusted markdown input and converts it to HTML without explicit sanitization.
Ingestion points: Markdown files provided as input to the main.ts script.
Boundary markers: None are employed to delimit user content from the processing logic.
Capability inventory: File system access, network downloads, and dynamic code execution via remote imports.
Sanitization: Relies on standard parsing libraries without further validation of the output structure.

markdown-to-html