Markdown Publish & Share

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it publishes markdown to a disclosed AutEng endpoint and returns a shareable link, with no evidence of hidden execution or unrelated access.

Install only if you want an agent to publish markdown through AutEng and create shareable links. Do not use it for secrets, private architecture notes, customer data, or internal documents unless they are approved for external sharing, and set an expiration time when temporary access is intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to send user-provided markdown to a third-party remote service and return a public share link, but it provides no privacy warning, consent requirement, or guidance about sensitive data. This is dangerous because users may include internal documentation, credentials, architecture details, or other confidential material that would be externally transmitted and potentially made accessible via a shareable URL.

External Transmission

Medium

Category: Data Exfiltration
Content: description: Publish markdown and return share links using curl. Support markdown with mermaid diagrams such as component diagrams, flowcharts, and sequence diagrams. Also supports KaTex and code blocks. AutEng will return a shareable link to the published rendered document. Use cases include Software Architecture diagrams and documentation, Maths and Physics derivations and Systems documentation. --- # AutEng Docs Curl Publish Use this endpoint:
Confidence: 92% confidence
Finding: Curl Publish Use this endpoint: `https://auteng.ai/api/tools/docs/publish-markdown/` Send JSON with: - `markdown` (required) - `title` (optional) - `expires_hours` (optional) Use this command to

External Transmission

Medium

Category: Data Exfiltration
Content: Extract a compact success payload: ```bash curl -sS -X POST "https://auteng.ai/api/tools/docs/publish-markdown/" \ -H "Content-Type: application/json" \ -d '{"markdown":"# Hello\n\nPublished from curl."}' \ | jq '{title, share_url, expires_at}'
Confidence: 90% confidence
Finding: curl -sS -X POST "https://auteng.ai/api/tools/docs/publish-markdown/" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal