Markdown Anything
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent and purpose-aligned, but it uploads selected files to Markdown Anything and uses your API token, so users should only convert files they are comfortable sending to that service.
This skill appears safe for its stated purpose if you are comfortable sending the chosen file to Markdown Anything. Avoid using it on sensitive documents unless your policy allows that provider, and protect the MDA_API_TOKEN because it authorizes API usage on your account.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any file converted with this tool is uploaded to Markdown Anything for processing, so confidential or regulated files may be exposed to that provider.
The core workflow sends the selected document to an external provider. This is clearly disclosed and purpose-aligned, but users should notice the data boundary.
Files are sent to `https://markdownanything.com/api/v1/convert` for processing
Only convert files you are allowed to send to Markdown Anything, and review the provider's privacy policy for sensitive documents.
The token can spend credits or access the user's Markdown Anything account features permitted by that token.
The script authenticates API calls with the user's Markdown Anything token. This is expected for the service and no token logging or unrelated transmission is shown.
-H "Authorization: Bearer ${MDA_API_TOKEN:?MDA_API_TOKEN is not set}"Use a dedicated API token if available, keep it private, and revoke it if it may have been exposed.
The skill may fail or behave inconsistently on systems without these tools, especially because no OS restriction is declared.
The helper script depends on local bash, curl, and python3, while the registry requirements list no required binaries. The code is visible and simple, so this is a dependency declaration note rather than a malicious signal.
#!/usr/bin/env bash
...
RESPONSE=$(curl "${CURL_ARGS[@]}" "https://markdownanything.com/api/v1/convert")
...
python3 -cDeclare the local runtime prerequisites, or verify that bash, curl, and python3 are available before using the skill.