markitdown
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install the 'markitdown' package from Microsoft's official GitHub repository and PyPI, which are established and trusted sources.
- [COMMAND_EXECUTION]: The script
scripts/generate_schematic.pyexecutes a secondary Python script usingsubprocess.run. The command is constructed using a list of arguments rather than a shell string, which is a secure practice that prevents shell injection vulnerabilities. - [PROMPT_INJECTION]: Documentation in
SKILL.mdincludes instructions for the agent to automatically generate scientific schematics for new documents by default. While this influences the agent's intended behavior, it is presented as a functional enhancement for document preparation. - [PROMPT_INJECTION]: The skill's primary function involves processing content from untrusted external files (such as PDFs, DOCX, and XLSX) using the
markitdownlibrary. This creates a surface for indirect prompt injection where malicious instructions embedded in a processed document could influence the agent's behavior. - Ingestion points: Files are ingested via
md.convert()inscripts/batch_convert.py,scripts/convert_literature.py, andscripts/convert_with_ai.py. - Boundary markers: No explicit boundary markers or 'ignore embedded instruction' warnings are used when processing the extracted text.
- Capability inventory: The skill has capabilities for file writing (
Path.write_text), network operations (requests.postto OpenRouter), and subprocess execution (subprocess.run). - Sanitization: Content is converted to Markdown but no additional sanitization or instruction filtering is applied to the extracted text before it enters the agent's context.
Audit Metadata