publish-substack-article

Warn

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute python3 and node scripts with dynamically generated inputs. It uses shell redirection (e.g., cat > /tmp/table1.md << 'TABLE_EOF') to process Markdown content, which creates a command injection surface if filenames or file content are maliciously crafted.
  • [EXTERNAL_DOWNLOADS]: The workflow sends Markdown table content to an external service, diagramless.xyz, via the diagram-to-image skill. This exposes potentially sensitive article data to a third-party API.
  • [REMOTE_CODE_EXECUTION]: The skill relies on unverified local dependencies located in external directories, specifically copy_to_clipboard.py and ~/.claude/skills/diagram-to-image/scripts/diagram-to-image.mjs. These scripts are not part of the skill's own package, making the execution environment brittle and potentially exploitable if those paths are compromised.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes full Markdown files from the local filesystem. Mandatory Evidence Chain: 1. Ingestion points: Reads article content from /path/to/article.md (Step 1). 2. Boundary markers: Absent; the agent is instructed to strip frontmatter but then processes the raw body. 3. Capability inventory: Browser automation (navigation, script evaluation, clicks), shell execution (node, python3), and file system writes (/tmp/). 4. Sanitization: None; the content is converted to HTML and pasted directly into a browser session.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 13, 2026, 02:10 PM
Security Audit — agent-trust-hub — publish-substack-article