Microsoft MarkItDown

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for converting user-selected files to Markdown, with expected cautions around optional cloud OCR and LLM features.

Install MarkItDown from a trusted source, preferably in a virtual environment, and install only the extras you need. Use the local conversion path for confidential files unless you are comfortable sending selected document, image, or presentation content to OpenAI, Azure, or enabled plugins under their data-handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill documents use of OpenAI-backed image description/OCR features but does not clearly warn users that document or image contents may be transmitted to a third-party API for processing. In an agent setting, users may reasonably assume conversion is local, so this omission can lead to unintended disclosure of sensitive file contents, especially for PDFs, presentations, and embedded images.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill recommends Azure Document Intelligence for document conversion without warning that uploaded document contents may be sent to Microsoft's cloud service. If used on confidential documents, this can cause unanticipated external disclosure because the workflow presents the feature as a normal conversion option rather than a remote-processing step.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal