Markdown to HTML Converter

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for building a Markdown-to-HTML web converter, with a disclosed CDN dependency mismatch but no hidden access or unsafe automation.

Reasonable to install if you want guidance for building this converter. Before using generated output with sensitive or untrusted Markdown, consider bundling or pinning dependencies with integrity checks, correcting the offline-use claim, and adding HTML sanitization for previews/downloads.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill describes the tool as suitable for offline use, yet explicitly requires third-party CDN-hosted JavaScript and CSS. This creates a supply-chain and availability risk: users may unknowingly depend on external network resources, and compromised CDN assets could inject malicious code into a local document-processing app.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation presents the converter as usable offline while the implementation instructions mandate online CDN resources. This mismatch is dangerous because operators may deploy it in trusted local contexts under false assumptions, reducing scrutiny of network fetches and increasing exposure to remote dependency tampering or failure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal