Trust Assessment
web-to-markdown received a trust score of 33/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 1 high, 3 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Prompt Injection Attempt via Hard Trigger Gate.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection Attempt via Hard Trigger Gate The skill attempts to dictate the host LLM's behavior by including explicit instructions on when and how it 'MUST' be used, and what to do if conditions are not met. This is a direct attempt to manipulate the LLM's internal reasoning and control flow from within untrusted content. Remove all instructions that attempt to control the host LLM's behavior, reasoning, or decision-making process. The LLM's internal policies should govern skill invocation. | LLM | SKILL.md:7 | |
| HIGH | Potential Command Injection via User-Controlled Arguments The skill describes several user-controlled arguments that are directly passed to the `web2md` command-line tool, including `--chrome-path`, `--user-data-dir`, `--wait-for`, and `--out`. If the LLM constructs the shell command by directly concatenating user input for these arguments without proper sanitization or escaping, an attacker could inject arbitrary shell commands. For example, `--chrome-path '/bin/sh -c "rm -rf /"'` could lead to remote code execution. The LLM must strictly validate and sanitize all user-provided inputs before constructing and executing shell commands. For paths, ensure they are canonicalized and do not contain path traversal sequences (e.g., `../`). For all arguments, use proper shell escaping (e.g., `shlex.quote` in Python) to prevent injection. Consider using a allowlist for `--chrome-path` or restricting it to known safe locations. | Static | SKILL.md:34 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Facilitation of `--no-sandbox` for Browser Automation The skill explicitly lists `--no-sandbox` as an optional rendering control. Running browser automation tools like Puppeteer (used by `web2md`) with `--no-sandbox` significantly reduces the security posture, especially in containerized environments or when processing untrusted web content. This can allow malicious web pages to escape the browser's sandbox and potentially compromise the host system. Strongly discourage or disallow the use of `--no-sandbox`. If absolutely necessary, provide explicit warnings to the user about the security implications and ensure the execution environment is isolated (e.g., dedicated VM, strict containerization with minimal privileges). The LLM should not automatically enable this option. | Static | SKILL.md:40 | |
| MEDIUM | Unpinned Dependencies and Supply Chain Risk The skill instructs the user to install `web2md` globally via `npm install -g web2md` or from source via `npm install && npm run build && npm link`. These instructions do not specify a version, making the installation vulnerable to supply chain attacks if a malicious version of `web2md` is published or if a typosquat package exists. If the LLM were to execute these commands, it would be at risk. If the LLM is to recommend or execute installation commands, it should always specify exact versions for dependencies (e.g., `npm install -g web2md@1.2.3`) and ideally include integrity checks (e.g., checksums). For source installations, recommend cloning from a specific commit hash. The LLM should also warn users about the risks of installing global packages from untrusted sources. | Static | SKILL.md:57 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/bed1efb47881f4ea)
Powered by SkillShield