markitdown

Fail

Audited by Socket on Jun 17, 2026

1 alert found:

Obfuscated File
Obfuscated FileHIGH
references/api_reference.md

The provided fragment is a documentation/API reference and contains no direct malicious code. However, the documented features (third-party plugins via package entry_points, custom converters executing in-process, and optional outbound LLM/Azure integrations) create realistic supply-chain and data-exfiltration risks: a malicious or compromised plugin or converter can read sensitive documents, environment variables, and then exfiltrate them to remote services. Treat plugins and custom converters as untrusted code, use least-privilege credentials, run conversions in isolated environments for sensitive data, and vet and lock plugin dependencies before installation.

Confidence: 90%
Audit Metadata
Analyzed At
Jun 17, 2026, 01:37 AM
Package URL
pkg:socket/skills-sh/plurigrid%2Fasi%2Fmarkitdown%2F@3264aa121841bf57305cbc42b3a7cc794e9fe9f2b11c5629d6394e525615e73b
Security Audit — socket — markitdown