markitdown

[Skill Scanner] Hardcoded API key detected All findings: [CRITICAL] hardcoded_secrets: Hardcoded API key detected (HS001) [AITech 8.2] [CRITICAL] hardcoded_secrets: Hardcoded API key detected (HS001) [AITech 8.2] [CRITICAL] hardcoded_secrets: Hardcoded API key detected (HS001) [AITech 8.2] This skill's documentation and capabilities are consistent with a document-to-Markdown conversion tool that optionally integrates with LLMs (OpenRouter) and Azure Document Intelligence. There is no direct evidence of malicious code or hidden exfiltration in the provided fragment. However, notable supply-chain risks exist: installing optional extras and enabling third-party plugins introduces the potential for malicious plugin code or compromised dependencies to execute and exfiltrate data or misuse API keys. The user should: (1) verify the package source (official PyPI/GitHub repository), (2) avoid enabling untrusted plugins, (3) provide API keys via secure means (env vars or secret stores) and not paste them into untrusted contexts, and (4) audit installed optional dependencies and plugins before use. LLM verification: Based on the provided documentation-only artifact, MarkItDown appears to be a legitimate document-to-Markdown conversion tool with optional AI and cloud integrations. No concrete evidence of malicious code or obfuscated backdoors can be found in the documentation alone. Primary security concerns are: (1) privacy exposure because AI/Azure integrations will transmit user content to external endpoints when enabled; (2) supply-chain risks from unpinned pip/git installation instructions; and (3) docu