to-markdown
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs necessary Python packages including 'markitdown', 'trafilatura', 'playwright', and 'anthropic' using the 'uv' package manager. These packages originate from trusted organizations such as Microsoft and Anthropic, or well-known open-source contributors.- [COMMAND_EXECUTION]: The skill executes shell commands to install dependencies ('uv pip install') and setup browser environments ('playwright install chromium'). These commands are standard for the skill's operational requirements.- [PROMPT_INJECTION]: The skill processes untrusted content from external files and URLs, presenting a surface for indirect prompt injection.
- Ingestion points: Untrusted data enters via 'md.convert' for local files in 'SKILL.md' and through URL fetching in 'references/fetch.md'.
- Boundary markers: There are no explicit markers used to delimit converted content from the agent's instructions.
- Capability inventory: The skill possesses capabilities for reading/writing files, performing network requests, and executing system commands for environment setup.
- Sanitization: The skill performs format conversion but does not explicitly sanitize or filter the extracted text for embedded instructions.- [DATA_EXFILTRATION]: An optional feature for image description involves sending data to the Anthropic API. This is documented as an opt-in feature that requires explicit user confirmation before any data is transmitted.
Audit Metadata