Publish To Mdpage

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: uploads chosen markdown to md.page to create a shareable link, with no hidden install or persistence behavior found.

Install only if you want an agent to upload markdown to md.page and create shareable links. Review any file, note, report, personal data, confidential material, or credential-like text before publishing; treat the resulting URL as shareable with anyone who has the link.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger description is overly broad and can activate on common phrases like 'share this' or 'create a page' without clearly signaling that the content will be sent to an external service. In an agent setting, this increases the chance of accidental exfiltration of sensitive markdown, notes, reports, or file contents to a third party when the user may not understand the privacy implications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill promotes publishing markdown but does not prominently warn, in the user-facing description, that the content is transmitted to md.page, a third-party external service. This omission undermines informed consent and makes accidental disclosure of sensitive content more likely, especially because the skill is designed for sharing arbitrary markdown and existing files.

External Transmission

Medium

Category: Data Exfiltration
Content: **POST** `https://md.page/api/publish` ```bash curl -X POST https://md.page/api/publish \ -H "Content-Type: application/json" \ -d '{"markdown": "# Hello\n\nYour content here"}' ```
Confidence: 93% confidence
Finding: curl -X POST https://md.page/api/publish \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: 3. To safely handle special characters (quotes, apostrophes, newlines), use Python to JSON-encode the payload, then pipe it to curl: ```bash curl -s -X POST https://md.page/api/publish \ -H "Content-Type: application/json" \ -d "$(python3 -c " import json
Confidence: 92% confidence
Finding: curl -s -X POST https://md.page/api/publish \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal