Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 84% confidence
- Finding
- The skill claims to safely convert arbitrary HTML from file path, URL, or string, but the documented implementation reads local files directly, runs a browser with '--no-sandbox', and renders attacker-controlled HTML that may trigger outbound network requests for external resources. This expands the effective permission and attack surface beyond the declared behavior, enabling local file access patterns and SSRF/privacy leakage through HTML-rendered subresources.
