Trust Assessment
markitdown received a trust score of 40/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 1 critical, 3 high, 1 medium, and 1 low severity. Key findings include Dangerous tool allowed: Bash, Network egress to untrusted endpoints, Covert behavior / concealment directives.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Supply Chain Risk via Untrusted Plugins The skill explicitly encourages users to find and enable third-party plugins from GitHub (e.g., `#markitdown-plugin`). The `scripts/batch_convert.py` script also includes an `--plugins` argument to enable these plugins. If `markitdown` loads and executes code from these untrusted plugins, it introduces a significant supply chain risk. A malicious plugin could execute arbitrary code with the full permissions of the agent, leading to data exfiltration, command injection, or other severe compromises. The skill provides a direct mechanism to enable potentially malicious code from unvetted sources. Strongly advise against installing plugins from untrusted sources. If plugins are necessary, implement a strict vetting process, sandboxing mechanisms, or only allow plugins from a curated, trusted list. At minimum, add a prominent security warning about the risks of installing third-party plugins. | LLM | SKILL.md:158 | |
| HIGH | Dangerous tool allowed: Bash The skill allows the 'Bash' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | cli-tool/components/skills/scientific/markitdown/SKILL.md:1 | |
| HIGH | Unpinned Dependency in Installation Instructions The installation instructions in SKILL.md use an unpinned dependency (`pip install 'markitdown[all]'`). This means that installing the skill could pull the latest version of `markitdown` and its dependencies, which might contain breaking changes, vulnerabilities, or even malicious code introduced in a future release. It's best practice to pin dependencies to specific versions or at least major versions to ensure reproducibility and security. Pin the `markitdown` dependency to a specific version (e.g., `markitdown==1.2.3`) or at least a major version (e.g., `markitdown~=1.2`) in the installation instructions. | LLM | SKILL.md:89 | |
| HIGH | Potential Command Injection via External Tool Execution (Tesseract) The skill's `SKILL.md` mentions 'OCR for images and scanned documents' and instructs users to 'Install tesseract' for OCR functionality. The Python scripts (`batch_convert.py`, `convert_with_ai.py`, `convert_literature.py`) pass user-controlled file paths (e.g., `input_file`, `file_path`) to the `markitdown.convert()` method. If the `markitdown` library internally executes external command-line tools like Tesseract using `subprocess.run(shell=True)` or `os.system()` without properly sanitizing these user-controlled file paths, a malicious filename (e.g., `image.png; rm -rf /`) could lead to arbitrary command injection. Given the declared 'Bash' permission, this is a credible exploit path. Ensure that the `markitdown` library (or any other dependency that executes external commands) properly sanitizes all user-controlled input, especially file paths, before passing them to shell commands. Avoid `shell=True` in `subprocess.run()` when executing external commands with user-controlled arguments. If `shell=True` is unavoidable, strictly validate and escape all user input. | LLM | SKILL.md:280 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/0dadfc84cfadd799)
Powered by SkillShield