md-to-pdf

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Markdown-to-PDF conversion skill, with a real caution that untrusted Markdown could cause the browser renderer to load external resources.

Reasonable to install for converting your own Markdown files. Avoid running it on untrusted Markdown unless you add request blocking or sanitization, because embedded remote resources could make network requests from your machine during PDF generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The Markdown is rendered into live HTML and loaded with Puppeteer's page.setContent(..., { waitUntil: 'networkidle0' }), which allows the browser to fetch remote resources referenced by attacker-controlled markdown/HTML such as images, iframes, stylesheets, or links that trigger requests. In a document-conversion skill, this can enable SSRF, internal network probing, unintended external callbacks, and data leakage during rendering, especially because marked output is inserted directly into the page without sanitization or request blocking.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal