markitdown
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a significant attack surface for indirect prompt injection by converting untrusted external data into context for the LLM. \n
- Ingestion points:
scripts/convert_webpage.py(URLs) andscripts/batch_convert.py(local files and directories). \n - Boundary markers: No delimiters or safety instructions are implemented to prevent the agent from obeying instructions found within the converted text. \n
- Capability inventory: The skill allows for file system writes (
batch_convert.py), network access for scraping and API calls, and processing of complex binary formats like ZIP and PDF. \n - Sanitization: No input sanitization or filtering of extracted content is present in the conversion logic. \n- [Unverifiable Dependencies & Remote Code Execution] (LOW): Recommends installing the
markitdownpackage. Per [TRUST-SCOPE-RULE], this is downgraded to LOW as it is a project maintained by Microsoft, a trusted organization. \n- [Command Execution] (MEDIUM): The skill includes Python scripts that facilitate batch processing of files and web content, providing a mechanism for an agent to ingest large volumes of potentially malicious data at the direction of an attacker. \n- [Dynamic Execution] (MEDIUM): The documentation notes a plugin system (enable_plugins=True) which, if enabled by the agent, would allow the loading and execution of arbitrary conversion code, increasing the risk of code injection.
Recommendations
- AI detected serious security threats
Audit Metadata