markitdown
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Dynamic Execution] (MEDIUM): The skill implements and documents a plugin architecture. Specifically,
MarkItDowncan be initialized withenable_plugins=True(supported inbatch_convert.py), which enables the dynamic discovery and loading of third-party Python packages via entry points. The documentation explicitly encourages users to find and install external plugins from unverified GitHub tags. - [Indirect Prompt Injection] (LOW): The skill is designed to convert untrusted external documents (PDF, Word, etc.) into Markdown specifically for LLM consumption, creating a significant attack surface.
- Ingestion points: Content is ingested from local files in
scripts/batch_convert.py,scripts/convert_literature.py, andscripts/convert_with_ai.py. - Boundary markers: Absent. The scripts do not use XML-style delimiters or 'ignore' instructions when interpolating converted content into final outputs.
- Capability inventory: Scripts have the capability to write to the local filesystem and perform network operations to AI providers (OpenRouter).
- Sanitization: Absent. Data is processed and outputted without escaping or structural validation of the converted text.
- [Persistence Mechanisms] (LOW): Multiple documentation files (
INSTALLATION_GUIDE.md,OPENROUTER_INTEGRATION.md) instruct users to persist sensitive API keys by appending export commands to shell profiles like~/.bashrcand~/.zshrc. While common for setup, this facilitates the persistence of plaintext credentials in shell configuration files. - [External Downloads] (SAFE): Installation instructions primarily reference the official Microsoft GitHub repository and PyPI, which are considered trusted sources under the defined security policy.
Audit Metadata