Trust Assessment
markdown-converter received a trust score of 56/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Potential Command Injection via `uvx markitdown` arguments, Potential Data Exfiltration via external endpoint in `uvx markitdown -e`, Skill enables broad filesystem read/write access.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. The static_code_analysis layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 326f2466). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via `uvx markitdown` arguments The skill describes the `uvx markitdown` command, which takes file paths and other strings as arguments. If the LLM constructs this command using unsanitized user-provided input for arguments (e.g., file names, extensions, MIME types), it could lead to command injection. An attacker could inject shell metacharacters (e.g., `;`, `|`, `&`, `$()`) into these arguments, causing arbitrary commands to be executed on the host system. While the skill itself is descriptive (rubric mode), it defines the interface for a command that is vulnerable to injection if not properly handled by the invoking LLM. Implement robust input validation and sanitization for all arguments passed to `uvx markitdown` when constructing the command. Consider using a safer execution method that avoids direct shell interpretation of arguments, or strictly whitelist allowed characters/patterns for inputs. Ensure the LLM is instructed to sanitize all user-provided inputs before passing them to this skill. | Unknown | SKILL.md:10 | |
| HIGH | Potential Data Exfiltration via external endpoint in `uvx markitdown -e` The skill describes the `-e ENDPOINT` option for `uvx markitdown`, which allows specifying an Azure Document Intelligence endpoint. If the LLM constructs this command using an attacker-controlled endpoint and processes sensitive user data (e.g., from `scan.pdf`), that data could be exfiltrated to the attacker's server. While the skill itself is descriptive (rubric mode), it defines an interface that enables data exfiltration if the endpoint is not validated by the invoking LLM. Strictly validate and whitelist allowed endpoints for the `-e` option. Do not allow user-provided arbitrary URLs for external services, especially when processing sensitive data. Ensure that any data sent to external services is appropriately anonymized or redacted if it contains sensitive information. | Unknown | SKILL.md:49 | |
| MEDIUM | Skill enables broad filesystem read/write access The `uvx markitdown` tool, as described by the skill, can read various file types (PDF, DOCX, XLSX, etc.) from arbitrary paths and write output to arbitrary file paths using the `-o` option. While the skill itself doesn't execute these operations (rubric mode), it defines an interface that grants the LLM the capability to perform broad filesystem read and write operations. If an LLM is prompted to process or save files based on untrusted input, this broad access could be abused to read sensitive files or overwrite critical system files. When invoking this skill, ensure that the LLM operates within a sandboxed environment with restricted filesystem access. Implement strict access control policies for file paths provided to the `uvx markitdown` tool, limiting it to designated safe directories. The LLM should validate all file paths provided by users. | Unknown | SKILL.md:10 | |
| MEDIUM | Unpinned `markitdown` dependency via `uvx` The skill instructs the LLM to use `uvx markitdown`. `uvx` is a tool for running Python applications, and `markitdown` is the application being run. The skill does not specify a version for `markitdown`, meaning `uvx` would likely fetch the latest available version. This introduces a supply chain risk, as a malicious update to the `markitdown` package could be automatically pulled and executed without review. While the skill is descriptive (rubric mode), it defines an invocation pattern that lacks version pinning. Specify a pinned version for the `markitdown` package when using `uvx` (e.g., `uvx markitdown==1.2.3`). Implement a mechanism to review and approve dependency updates before deployment to mitigate risks from malicious or vulnerable package versions. | Unknown | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/66073deeb736fda9)
Powered by SkillShield