The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (LOW): The skill instructs the user to install the 'markitdown' package and its dependencies from PyPI and GitHub.
Evidence: SKILL.md recommends pip install 'markitdown[all]' and provides instructions for cloning the repository from https://github.com/microsoft/markitdown.git.
Trust Status: Since the source is the 'microsoft' organization (a trusted GitHub entity), the severity of the download itself is downgraded per the [TRUST-SCOPE-RULE].
[COMMAND_EXECUTION] (MEDIUM): The skill supports a plugin architecture that enables the loading and execution of third-party Python code.
Evidence: SKILL.md and references/advanced-features.md describe the use of --use-plugins and the enable_plugins=True parameter. The documentation encourages users to find plugins via GitHub tags (#markitdown-plugin).
Risk: This mechanism allows for dynamic code execution via Python entry points. If a user installs an untrusted or malicious plugin, it can execute arbitrary commands with the privileges of the agent process.
[PROMPT_INJECTION] (LOW): The skill is a primary vector for Indirect Prompt Injection as it converts untrusted external content (PDFs, YouTube transcripts, etc.) for LLM consumption.
Mandatory Evidence Chain (Category 8):
Ingestion points: scripts/batch-convert.py and references/advanced-features.md show the use of md.convert(source) and md.convert_uri(), which ingest untrusted local files, remote URLs, and data URIs.
Boundary markers: Absent. The resulting Markdown is provided directly to the agent without delimiters or safety warnings to ignore instructions inside the converted text.
Capability inventory: Scripts like scripts/batch-convert.py have filesystem write access (output_file.write_text), and the library itself performs network operations to fetch remote content.
Sanitization: Absent. The skill does not sanitize the converted text to remove potential prompt injection payloads embedded within the source documents.

markitdown-skill