markitdown
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to ingest and process a wide variety of untrusted file formats (PDF, DOCX, XLSX, HTML, etc.), which represents a significant attack surface for indirect prompt injection.
- Ingestion points:
scripts/batch_convert.py,scripts/convert_literature.py, andscripts/convert_with_ai.pyread arbitrary files from the local filesystem. - Boundary markers: The scripts do not implement strict boundary markers or sanitization when converting document content to Markdown. They simply concatenate extracted text into the output file, which could allow maliciously crafted documents to influence downstream agent behavior if the agent reads the resulting Markdown.
- Capability inventory: The skill possesses capabilities for local file writing and network operations (via OpenRouter and Azure Document Intelligence).
- Sanitization: No sanitization or escaping of extracted text content is performed before writing it to the output files.
- Dynamic Execution (MEDIUM): The skill documentation and the
batch_convert.pyscript expose a plugin system that allows loading 3rd-party Python packages to handle custom file formats. While this is a documented extensibility feature of themarkitdownlibrary, it allows for dynamic code loading from the environment if the--pluginsflag is enabled. The documentation's suggestion to find plugins via GitHub tags could lead users to install untrusted code. - Network Operations (LOW): The
scripts/convert_with_ai.pyscript andapi_reference.mddocumentation describe integrations with OpenRouter and Azure Document Intelligence. These operations involve sending document content (including images) to external services, which may have data privacy implications for sensitive documents.
Audit Metadata