Markitdown Converter

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal document-to-Markdown converter; the main caution is that batch conversion can create or overwrite local output files.

Prefer installing the dependency in a virtual environment, use narrow input folders for batch conversion, and choose a new or empty output directory to avoid overwriting existing Markdown or extracted-image files.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill clearly documents scripts that write converted Markdown files and extracted images to disk, yet no permissions are declared. This creates a transparency and governance gap: an agent or reviewer may underestimate that the skill performs filesystem writes, especially during batch conversion, increasing the chance of unintended file creation or overwrite.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The documentation mentions batch conversion but does not clearly warn that it recursively processes all supported files in a directory tree and writes outputs to disk. In agent contexts, this can cause unexpected large-scale file processing, disk usage, or accidental conversion of sensitive documents if the user supplies a broad directory path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal