markitdown
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill requires the installation of the 'markitdown' package via pip. Although this is an external dependency, it is a known project from Microsoft, a trusted organization, which downgrades the severity of the dependency reference itself.
- [COMMAND_EXECUTION] (MEDIUM): The skill explicitly allows the 'Bash' tool and provides instructions for executing CLI commands. This provides a direct path for an attacker to execute arbitrary system commands if the agent is manipulated via prompt injection.
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8). It is designed to ingest and parse untrusted data from local files and URLs, which is the primary vector for this attack.
- Ingestion points: Processes PDF, Word, Excel, PowerPoint, images, and web content via the
markitdownCLI. - Boundary markers: No boundary markers or 'ignore' instructions are present to prevent the agent from obeying instructions embedded within the processed documents.
- Capability inventory: The agent has access to the
Bashtool to execute shell commands based on its reasoning. - Sanitization: There is no evidence of sanitization or filtering applied to the document content before it is returned to the agent's context.
Recommendations
- AI detected serious security threats
Audit Metadata