中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
web-to-pdf
Convert a web page to PDF, especially web-based slide decks and presentations
A legitimate web-to-PDF conversion tool with minor security concerns around shell quoting in the PNG-to-PDF assembly step.
Skill Nameweb-to-pdf
Duration32.3s
Enginepi
Safe to install
Accept for use with standard precautions. Consider hardening the execSync call to use argument arrays instead of shell interpolation.

Findings 2 items

Severity Finding Location
Low
Shell interpolation in PNG-to-PDF assembly RCE
execSync uses shell interpolation with JSON-stringified paths and user-controlled output path. While JSON.stringify adds quoting, special characters in file paths could potentially cause issues.
execSync(`python3 "${scriptPath}" '${JSON.stringify(pngPaths)}' "${outputPath}" ${opts.width} ${opts.height}`)
→ Pass arguments as an array to execSync/spawn to avoid shell interpretation entirely.
 scripts/capture.mjs:271
Low
Temp file cleanup with error suppression Sensitive Access
Cleanup of temporary files uses try/catch with empty handlers, silently ignoring errors. Could leave artifacts in tmpdir.
try { unlinkSync(scriptPath); } catch {}
→ Log cleanup failures or use a dedicated temp directory with auto-cleanup.
 scripts/capture.mjs:277
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares output PDF writing; capture.mjs:271 writes to outputPath
Network READ READ ✓ Aligned SKILL.md declares URL fetching; capture.mjs:249 navigates to opts.url
Shell WRITE WRITE ✓ Aligned SKILL.md declares npm/pip installation; capture.mjs:18 imports execSync; capture…
Environment NONE NONE No environment variable access observed

File Tree

4 files · 16.8 KB · 512 lines
JavaScript 1f · 356L Markdown 2f · 147L JSON 1f · 9L
├─ 📁 scripts
│ ├─ 📜 capture.mjs JavaScript 356L · 11.3 KB
│ └─ 📋 package.json JSON 9L · 149 B
├─ 📝 README.md Markdown 70L · 2.0 KB
└─ 📝 SKILL.md Markdown 77L · 3.3 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
playwright ^1.50.0 npm No Pinned to major version
Pillow * pip No Version not pinned in SKILL.md

Security Positives

✓ SKILL.md accurately describes the tool's functionality with no documentation deception
✓ No credential harvesting or sensitive data access observed
✓ No obfuscation techniques (base64, eval, etc.) detected
✓ Dependencies are pinned to major version ranges (playwright ^1.50.0)
✓ No network exfiltration or C2 communication patterns
✓ URL navigation is limited to user-provided URLs only
✓ No persistence mechanisms (no cron, startup scripts, or backdoors)
✓ No supply chain risks identified beyond standard npm package usage