docx-to-markdown
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security risks were identified. The skill implements a legitimate document conversion pipeline (DOCX to HTML to Markdown).
- [DATA_EXPOSURE]: The skill reads local .docx files and writes Markdown and image files to the local file system. These operations are limited to user-provided paths and are necessary for the skill's core functionality.
- [COMMAND_EXECUTION]: The documentation provides instructions for running conversion scripts via Node.js and a setup command (ck init). These are standard practices for script-based skills and do not involve arbitrary command execution or privilege escalation.
- [EXTERNAL_DOWNLOADS]: The skill depends on standard Node.js packages (mammoth, turndown, and turndown-plugin-gfm) from the official NPM registry. These are well-known libraries for document processing and are considered safe dependencies.
- [PROMPT_INJECTION]: The skill contains instructional guidance for the agent (such as using TaskCreate for planning) but does not include any attempts to bypass safety filters or override system constraints. While the skill processes external files which represents an indirect prompt injection surface, there are no dangerous capabilities or malicious triggers present.
Audit Metadata