MarkItDown
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent local document-conversion helper; the main things to notice are its disclosed PyPI dependency install and its ability to read chosen files and write Markdown output.
Before installing, be comfortable with downloading markitdown[all] and its dependencies from PyPI. Verify the package source if Microsoft provenance matters to you, and only give the skill files, directories, or URLs you intend to process.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may download and run third-party Python packages and their dependencies on the user's machine.
The skill installs an unpinned package with all extras from PyPI into a local virtual environment. This is disclosed and purpose-aligned, but it depends on external package provenance and dependency resolution at install time.
python3 -m venv .venv && .venv/bin/pip install 'markitdown[all]'
Install only if you trust the package source; consider pinning or reviewing dependency versions if using it in a sensitive environment.
The agent can convert files or fetched URL content into Markdown when invoked, which may expose that content to the agent's working context.
The skill can read local files for conversion and may make network requests for URL-based inputs. This is expected for the stated purpose and is explicitly disclosed.
Processing certain formats (like YouTube URLs) requires external network access to fetch the content. Processing local files requires access to the directory where the target files are located.
Use it only for files and URLs you intentionally want converted, and review output paths before writing generated Markdown files.