markitdown

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). MarkItDown explicitly ingests public, user-generated content — e.g., SKILL.md and examples show converting YouTube URLs (md.convert("https://www.youtube.com/watch?v=VIDEO_ID")) and web/HTML content — so untrusted third‑party transcripts/pages are fetched and returned as text that downstream LLMs or automation could read and influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls the OpenRouter API at runtime (https://openrouter.ai/api/v1) to generate images and to obtain review critique which is then injected into and used to modify subsequent prompts/decisions (e.g., improve_prompt/regeneration), so remote content directly controls agent prompts and is required for those AI-enhanced features.