space-weread-export
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill orchestrates the execution of a Python script (
scripts/md_to_pdf.py) to handle PDF conversion. This script invokes a headless browser (such as Chrome or Edge) viasubprocess.runto render HTML content into a PDF document.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface. It retrieves highlight and review data from the external WeRead API and embeds it into a document template without sufficient sanitization. Inscripts/md_to_pdf.py, thenaive_mdfunction lacks HTML escaping, meaning any HTML tags (e.g.,<script>,<iframe>) present in the user's book highlights will be rendered by the headless browser during the conversion process.\n - Ingestion points: Data entering via WeRead API endpoints
/book/bookmarklistand/review/list/mine.\n - Boundary markers: No delimiters or instructions are used to prevent the interpreter from processing embedded commands in the note content.\n
- Capability inventory: The skill can create directories, write files (Markdown and PDF), and execute subprocesses (Python and Browser).\n
- Sanitization: HTML escaping is absent in the primary text processing path in
scripts/md_to_pdf.py.
Audit Metadata