The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill processes untrusted data from multiple sources (Office docs, PDFs, Web, YouTube) which can contain instructions designed to manipulate the agent's behavior.
Ingestion points: markitdown.convert() in scripts/batch_convert.py and SKILL.md accepts arbitrary file paths and URLs.
Boundary markers: No explicit delimiters or system instructions are used to separate the converted content from the agent's instructions.
Capability inventory: The underlying library may invoke external tools like Tesseract (OCR) or FFmpeg (Audio) and makes network calls to YouTube and Cloud AI providers (Azure, OpenAI).
Sanitization: The provided code lacks explicit content sanitization, relying on the library's conversion logic.
Data Exposure & Network (LOW): The skill requires network access for specific features like YouTube transcript extraction and AI-powered enhancements. It correctly avoids hardcoded credentials, favoring environment variables and CLI arguments.
Dynamic Execution (MEDIUM): The MarkItDown class supports a plugin system (enable_plugins=True). Although disabled by default, this facilitates the execution of arbitrary conversion logic which could be abused if an attacker can influence the plugin configuration.

markitdown