baoyu-url-to-markdown

Pass

Audited by Gen Agent Trust Hub on Mar 25, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill launches a Chrome/Edge/Chromium browser using node:child_process.spawn. It searches for common executable paths across different operating systems or uses the URL_CHROME_PATH environment variable. It also instructs the agent to use test -f shell commands to locate configuration files.
  • [EXTERNAL_DOWNLOADS]: The skill navigates to and fetches content from arbitrary external URLs provided at runtime to perform its primary function of URL-to-markdown conversion.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests content from external websites, converts it to markdown, and returns it to the agent's context. A malicious website could include natural language instructions designed to manipulate the agent's subsequent behavior.
  • Ingestion points: Web content is fetched from user-provided URLs in scripts/main.ts and processed in scripts/html-to-markdown.ts.
  • Boundary markers: The output is wrapped in YAML frontmatter and markdown headers, but there are no explicit instructions to the agent to treat the converted content as untrusted data or to ignore embedded commands.
  • Capability inventory: The skill can spawn browser processes, read local configuration files, and write converted markdown files to the local file system.
  • Sanitization: The skill uses linkedom and turndown to strip potentially dangerous HTML tags like <script>, <style>, and <iframe>, but it does not sanitize or filter the natural language text for malicious instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 25, 2026, 03:10 PM
Security Audit — agent-trust-hub — baoyu-url-to-markdown