Markdown Converter

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Markdown conversion helper, with caution needed for optional cloud processing, URL handling, plugins, and the external converter it runs.

Install if you are comfortable running `uvx markitdown` and trusting its package source. Avoid using Azure Document Intelligence, remote URLs, or `--use-plugins` for sensitive documents unless you intentionally trust the relevant cloud service, URL source, and installed plugins.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises conversion of ZIP archives and YouTube URLs and references Azure Document Intelligence, but it does not warn users that processing remote sources or cloud-backed features may transmit document content or metadata to third-party services. In a document-conversion skill, users may reasonably pass sensitive files or URLs, so omission of a disclosure increases the risk of unintentional data exfiltration and privacy/compliance violations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill exposes `--use-plugins` and `--list-plugins` without any warning that plugins may load and execute third-party code during document processing. In this context, enabling plugins on untrusted systems or with unreviewed plugin sets can materially expand attack surface, leading to arbitrary code execution, data theft, or unsafe outbound network access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal