Security audit

Md Web

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it publishes user-chosen Markdown to a user-configured public S3-compatible bucket, with clear disclosure of the main privacy and credential risks.

Install only if you are comfortable publishing selected Markdown to a public bucket. Use a dedicated bucket, restrict the S3 token to that bucket where possible, avoid confidential or untrusted Markdown, protect ~/.md-web/config.json, and be aware that setting expire_days to 0 can clear the bucket lifecycle configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill explicitly performs network operations against an S3-compatible endpoint but does not declare any permissions for that capability. Undeclared network access weakens security review and user consent because a caller may not realize the skill can transmit file contents and authentication data off-host. In this context the destination is user-configured storage, which lowers suspicion, but the missing declaration is still a real security transparency issue.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The TOC builder copies heading HTML into a new anchor using innerHTML, so any HTML that survives markdown rendering inside a heading is re-inserted into the DOM. In a skill whose purpose is to render user-supplied markdown into a publicly accessible page, this increases the risk of stored XSS or DOM-based script execution via attacker-controlled markdown content.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The configured TOC title is inserted with innerHTML, allowing arbitrary markup injection from configuration into the rendered page. If an attacker can influence docsify configuration or bundled content, this can produce XSS or layout/script injection on the published markdown page.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This script loads long-lived storage credentials from a local config file and uses them to perform uploads and lifecycle operations, but there is no explicit user-facing disclosure in the execution path about the sensitivity or scope of those credentials. In the context of a skill that publishes content to public storage, silently relying on powerful credentials increases the risk that users grant broader access than they understand, especially since the same credentials may also administer bucket policy such as lifecycle settings.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Step 2: Prepare the markdown file Either use an existing `.md` file, or write the content to a temporary file. Choose the temp path based on the current platform (e.g., `/tmp/` on Linux/macOS, system temp dir on Windows). Use whichever path works in the current shell environment. ### Step 3: Upload via upload.js
Confidence: 78% confidence
Finding: write the content to a temporary file. Choose the temp path based on the current platform (e.g., `/tmp/` on Linux/macOS, system temp dir on Windows). Use whichever path works in the current shell envi

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.