markitdown
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [Persistence Mechanisms] (HIGH): The skill's documentation in
INSTALLATION_GUIDE.mdandOPENROUTER_INTEGRATION.mdexplicitly instructs users to append sensitive API keys to shell configuration files (~/.bashrcand~/.zshrc). This practice creates a persistent, plaintext record of secrets in environment files and shell histories, which is a high-severity security risk for credential exposure. - [Indirect Prompt Injection] (LOW): The skill is designed to ingest and convert untrusted document formats (PDF, DOCX, etc.) into Markdown for LLM consumption. It lacks sanitization and boundary markers, which could allow malicious instructions embedded in documents to influence an AI agent. \n
- Ingestion points:
scripts/batch_convert.py,scripts/convert_literature.py, andscripts/convert_with_ai.pyall read from untrusted files. \n - Boundary markers: Absent; the script directly concatenates metadata with document content. \n
- Capability inventory: Includes local file system writes and network requests to third-party AI services. \n
- Sanitization: None detected in the extraction logic.
- [Data Exposure & Exfiltration] (LOW): The skill transmits document content to external AI services (OpenRouter and Azure Document Intelligence). While this is the intended functionality, these services are not on the trusted whitelist and involve sending potentially sensitive local data over the network.
Recommendations
- AI detected serious security threats
Audit Metadata