markitdown
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes data from untrusted sources such as PDFs, Office documents, and web pages, which makes it vulnerable to indirect prompt injection where hidden instructions in these documents could manipulate the agent's behavior.
- Ingestion points: Data is ingested via the markitdown.convert() method from local files in 'scripts/batch_convert.py' and from URLs in 'scripts/convert_webpage.py'.
- Boundary markers: The skill does not implement delimiters or safety instructions to distinguish converted content from system prompts.
- Capability inventory: The skill can write files to the local disk and send data to external LLM providers (OpenAI, Azure).
- Sanitization: No sanitization or filtering is applied to the content extracted from processed files or URLs.
- [REMOTE_CODE_EXECUTION]: As documented in 'references/advanced_integrations.md', the skill supports a plugin system that allows users to register custom Python classes for conversion tasks. When enabled, this feature permits the execution of arbitrary Python code with system-level access.
- [EXTERNAL_DOWNLOADS]: The skill is designed to download content from the web and YouTube for processing. It also lists several third-party libraries for installation that are necessary for its advanced features.
Audit Metadata