wjs-converting-wp-to-hugo
Warn
Audited by Snyk on Jun 13, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). Runtime LLM context is fed from the user-provided WXR
.xmlanduploads/content:scripts/wxr_to_hugo.pyreads the XML (open(xml_path).read()), parses<content:encoded>HTML into Markdown, and that converted prose (including outsider-authored post/page body text) is then used downstream; this is outsider free text originating from the WordPress site export.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The GitHub Actions workflow fetches and installs a remote Hugo binary at runtime via wget from https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb and invokes external actions (actions/checkout@v4, actions/configure-pages@v5, actions/upload-pages-artifact@v3, actions/deploy-pages@v4), all of which run code fetched at workflow time and are required for the build/deploy pipeline.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata