publish-substack-article
Warn
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute
python3andnodescripts with dynamically generated inputs. It uses shell redirection (e.g.,cat > /tmp/table1.md << 'TABLE_EOF') to process Markdown content, which creates a command injection surface if filenames or file content are maliciously crafted. - [EXTERNAL_DOWNLOADS]: The workflow sends Markdown table content to an external service,
diagramless.xyz, via thediagram-to-imageskill. This exposes potentially sensitive article data to a third-party API. - [REMOTE_CODE_EXECUTION]: The skill relies on unverified local dependencies located in external directories, specifically
copy_to_clipboard.pyand~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs. These scripts are not part of the skill's own package, making the execution environment brittle and potentially exploitable if those paths are compromised. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes full Markdown files from the local filesystem. Mandatory Evidence Chain: 1. Ingestion points: Reads article content from
/path/to/article.md(Step 1). 2. Boundary markers: Absent; the agent is instructed to strip frontmatter but then processes the raw body. 3. Capability inventory: Browser automation (navigation, script evaluation, clicks), shell execution (node, python3), and file system writes (/tmp/). 4. Sanitization: None; the content is converted to HTML and pasted directly into a browser session.
Audit Metadata