md2docx

The package/skill delegates Markdown-to-DOCX conversion to third-party endpoints and will upload user content and an API key to deepshare.app domains. Functionality aligns with its intended purpose, but this creates a moderate privacy and credential-hygiene risk: an embedded trial API key is present and the skill encourages storing API keys in YAML, which can lead to accidental leaks or abuse. There is no evidence in the provided text of obfuscated code, backdoors, or malware-like behavior, but the actual conversion script (scripts/convert.py) was not provided and must be audited to rule out additional risks (e.g., exfiltration of other local secrets, unexpected network calls, or arbitrary code execution). Recommendations: (1) Do not use the trial key for sensitive content; (2) Prefer local file mode for confidential documents; (3) Store API keys in environment variables or secret stores, not in YAML; (4) Vet the deepshare.app service (privacy policy, retention, TLS configuration) before sending sensitive data; (5) Review scripts/convert.py and any transitive code before deployment.