Trust Assessment
markdown-converter received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via unsanitized filenames, Direct Data Exfiltration via configurable external endpoint, Arbitrary Code Execution and Supply Chain Risk via 3rd-party plugins.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Data Exfiltration via configurable external endpoint The skill exposes an option `-e ENDPOINT` to specify an arbitrary URL for Azure Document Intelligence. This allows an attacker to direct the `markitdown` tool to send the content of processed documents (which can be sensitive) to a malicious server controlled by the attacker. This is a direct and high-impact data exfiltration vector, as the tool is designed to process various document types, including those potentially containing sensitive information. Restrict the `-e ENDPOINT` option to a predefined allowlist of trusted Azure Document Intelligence endpoints. If arbitrary endpoints are strictly necessary, implement robust data governance, user consent mechanisms, and ensure no sensitive data is processed or transmitted without explicit authorization and auditing. | LLM | SKILL.md:30 | |
| CRITICAL | Arbitrary Code Execution and Supply Chain Risk via 3rd-party plugins The `--use-plugins` option allows enabling arbitrary 3rd-party plugins. This introduces a significant supply chain risk as untrusted or malicious plugins could be loaded and executed, leading to arbitrary code execution, data exfiltration, system compromise, or other malicious activities within the agent's execution environment. This grants excessive permissions to potentially untrusted code. Remove or severely restrict the `--use-plugins` option. If plugins are absolutely necessary, implement a strict allowlist of trusted, vetted plugins, and ensure they run in a highly sandboxed environment with minimal permissions. Regularly audit and update allowed plugins and their dependencies. | LLM | SKILL.md:32 | |
| HIGH | Potential Command Injection via unsanitized filenames The `uvx markitdown` command takes user-provided filenames as arguments (e.g., `input.pdf`, `output.md`). If these arguments are not properly sanitized or quoted when constructing the shell command, an attacker could inject arbitrary shell commands. For example, `uvx markitdown "file.pdf; rm -rf /"` or `uvx markitdown input.pdf -o "output.md; malicious_command"` could lead to arbitrary code execution within the agent's environment. Ensure all user-provided arguments passed to `uvx markitdown` are properly sanitized and/or quoted to prevent shell metacharacter interpretation. Consider using a library that safely executes external commands (e.g., `subprocess.run` with `shell=False` in Python, passing arguments as a list) or implementing strict input validation. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/66073deeb736fda9)
Powered by SkillShield