Markdown Fetcher

Security checks across malware telemetry and agentic risk

Overview

This is a simple webpage-to-Markdown helper, with the main caution that it sends URLs to named third-party conversion services.

Use this skill for public webpages. Avoid private intranet links, authenticated pages, confidential targets, and URLs containing tokens or secrets unless you are comfortable sending them to the named third-party services. Review the Scrapling package before using the optional local fallback.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs routing arbitrary user-supplied URLs through external services such as markdown.new, defuddle.md, and r.jina.ai, but it does not warn that the full target URL and fetched content will be disclosed to those third parties. This can leak private links, tokens embedded in URLs, internal hostnames, or sensitive browsing targets, especially if an agent uses the skill on confidential or non-public resources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal