Trust Assessment
markitdown-skill received a trust score of 91/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 1 medium, and 1 low severity. Key findings include Node lockfile missing, Unpinned Python Dependencies.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned Python Dependencies The skill's installation instructions and manifest specify Python packages (`markitdown[all]`, `openai`) without pinning specific versions. This can lead to supply chain risks, as future versions of these packages or their transitive dependencies could introduce vulnerabilities, breaking changes, or malicious code without explicit review. The `markitdown[all]` extra is particularly broad, pulling in many dependencies. Pin specific versions for all Python dependencies (e.g., `markitdown[all]==X.Y.Z`, `openai==A.B.C`) in the manifest or a `requirements.txt` file. Regularly review and update pinned versions to mitigate risks from upstream changes. | LLM | SKILL.md:42 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/karmanverma/markitdown-skill/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/f9716c627cdeb0e9)
Powered by SkillShield