Back to skill

Security audit

Baoyu Url To Markdown

Security checks across malware telemetry and agentic risk

Overview

This URL-to-Markdown skill mostly does what it claims, but it under-discloses sensitive session persistence and third-party URL sharing that users should review before installing.

Review before installing if you plan to use this on logged-in or private pages. Avoid debug mode on sensitive sessions unless you are comfortable writing page HTML and network data to disk. Be aware that X/Twitter sessions may be saved in a local plaintext cookie sidecar, and generic conversion may send the target URL to defuddle.md as a fallback. Use a dedicated Chrome profile and avoid private/internal URLs unless those behaviors are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes a network-capable CLI to fetch arbitrary URLs and uses environment-dependent configuration, but the manifest does not declare corresponding permissions or constraints. This weakens sandboxing and user awareness, making it easier for the skill to perform network access and read environment-derived paths unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code records broad network telemetry including request headers and POST bodies for every observed request, not just the page content needed for markdown conversion. In a browser automation context that may traverse authenticated sessions, this can capture cookies, bearer tokens, CSRF tokens, form submissions, and other sensitive data unrelated to the tool’s stated purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The ensureBody/toJSON path can retrieve and decode arbitrary response bodies for any finished request seen by the session, including API responses, XHR/fetch traffic, and other non-document resources. In a tool that supports login/CAPTCHA flows, this materially increases the risk of exfiltrating private account data, session-scoped API responses, or hidden site data far beyond simple webpage-to-markdown extraction.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger language is overly broad: 'Fetch any URL' and 'Use when user wants to save a webpage as markdown' can cause the skill to be invoked in many loosely related contexts. In practice, that increases the chance of unintended network requests to attacker-controlled URLs or surprising execution without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill performs file writes, may download media, and creates persistent preference files, but it does not present a prominent upfront warning that local filesystem state will be modified. This can lead to unexpected persistence, clutter, or writes into sensitive project directories if users do not realize the side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code will delete Chrome profile lock artifacts and retry launch automatically after a failed startup. Even though it tries to gate cleanup behind checks for stale locks, the deletion is still destructive state modification on a user profile directory, and if the stale-lock detection is wrong or races with a real Chrome instance, it can corrupt profile state, disrupt a live browser session, or cause data loss. In this skill context, the risk is somewhat elevated because the tool intentionally reuses and launches real Chrome profiles to access authenticated sites.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code exports browser cookies, including potential authentication/session tokens, to a plaintext JSON sidecar on disk with no encryption, permission hardening, consent check, or visibility to the user at this layer. In a URL-to-markdown skill that explicitly supports logged-in browsing and CAPTCHA/login flows, persisted cookies materially increase the risk of account/session theft if the local filesystem, profile directory, or sidecar filename is exposed to other processes or users.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The restore path reads previously saved cookies from disk and injects them into a live browser session without any integrity check, provenance validation, or user confirmation at this layer. If an attacker can tamper with the sidecar file or place a crafted one in the profile directory, this can force the browser into an attacker-chosen authenticated state, enable session fixation/account confusion, or silently reuse sensitive sessions across runs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The debug artifact path writes a full network journal with `includeBodies: true`, which can capture sensitive request and response bodies such as session tokens, CSRF tokens, page contents behind authentication, and user-submitted data. In a tool explicitly designed to browse authenticated sites and handle login/CAPTCHA flows, storing these bodies to disk materially increases the risk of credential and private data exposure if the debug directory is shared, persisted, or read by other local processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code restores and later exports session cookies from a sidecar/profile directory, enabling reuse and persistence of authenticated sessions outside the browser's normal managed store. While likely intended to improve usability, this is sensitive credential handling; compromise of that sidecar directory or misuse by adapters could expose account sessions and extend access beyond the user's immediate interaction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When remote fallback is enabled, the code calls `fetchDefuddleApiMarkdown(url)`, which sends the full user-supplied target URL to the third-party service `https://defuddle.md`. That can disclose sensitive URLs, query parameters, internal hostnames, or authenticated resource locations without any consent, warning, or policy gate visible in this file. In a URL-fetching skill, users may reasonably expect page retrieval and conversion, but not silent transmission of the destination to an external processor.

Session Persistence

Medium
Category
Rogue Agent
Content
### First-Time Setup ⛔ BLOCKING

When EXTEND.md is not found, you **MUST** use `AskUserQuestion` to gather preferences before creating EXTEND.md. **NEVER** create EXTEND.md with silent defaults. Generation is BLOCKED until setup completes. Batch all three questions into a single call:

- **Q1 — Media** (header "Media"): "How to handle images and videos in pages?"
  - "Ask each time (Recommended)" — Prompt after each save
Confidence
84% confidence
Finding
create EXTEND.md with silent defaults. Generation is BLOCKED until setup completes. Batch all three questions into a single call: - **Q1 — Media** (header "Media"): "How to handle images and videos i

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/lib/browser/profile.ts:29