markitdown
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted external content from local documents and URLs, creating a vulnerability where malicious instructions in the source files could influence the agent's behavior.
- Ingestion points: Local files (.pdf, .docx, .xlsx, .pptx, etc.) and remote URLs via
markitdowncommand. - Boundary markers: Absent; the skill does not wrap output in delimiters or instruct the agent to ignore embedded instructions.
- Capability inventory: Full
Bashtool access, including file system write capabilities via shell redirection (>). - Sanitization: No sanitization or validation of the ingested content is performed before the agent processes the resulting Markdown.
- [Command Execution] (MEDIUM): The skill uses the
Bashtool to execute themarkitdownCLI. - Risk: If an attacker can control the filename (e.g., via a downloaded file), they might attempt shell injection (e.g.,
markitdown "; rm -rf /; ".pdf). The skill documentation does not provide guidance on escaping shell arguments. - [Unverifiable Dependencies] (LOW): The skill requires the
markitdownPython package. - Trust Scope: This package is maintained by Microsoft (a trusted organization), which downgrades this specific finding to LOW per [TRUST-SCOPE-RULE].
Recommendations
- AI detected serious security threats
Audit Metadata