Is markdown-converter safe?

https://clawhub.ai/steipete/markdown-converter

82
SAFE

This skill is a straightforward documentation wrapper for the markitdown Python tool. It contains no executable code, no prompt injection patterns, no git hooks, and no suspicious behavior during installation. The primary risk is indirect: the skill instructs agents to run a third-party PyPI package at runtime via uvx, creating a supply-chain trust dependency. The --use-plugins and Azure endpoint options expand the attack surface if misused.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Runtime PyPI package execution via uvx -20

The skill instructs the agent to run uvx markitdown which downloads and executes the markitdown Python package from PyPI on every invocation. This is an implicit trust dependency on the PyPI supply chain. If the markitdown package were compromised, any agent using this skill would execute malicious code.

LOW Azure Document Intelligence sends documents to external endpoint -10

The -d -e ENDPOINT option sends document content to a user-specified Azure endpoint for processing. While this is a legitimate feature, an agent could be tricked into sending sensitive documents to an attacker-controlled endpoint if the URL is manipulated.

LOW Plugin loading flag could enable untrusted code -15

The --use-plugins flag enables third-party markitdown plugins. If an agent uses this flag, it could load and execute untrusted plugin code. The skill documents this as an available option without warning about security implications.

LOW File content piped through third-party tool -10

Patterns like cat input.pdf | uvx markitdown pipe potentially sensitive file content through a third-party package. The tool processes the full document content in memory.

INFO OpenClaw agent reads sensitive config files during bootstrap -10

The filesystem monitoring shows reads of .env, .aws/credentials, and .openclaw config files. These are attributable to the OpenClaw agent bootstrap process, not the skill itself, but they demonstrate what files are accessible in the execution environment.

INFO Malicious document parsing risk -25

Since the skill processes arbitrary user-supplied files (PDF, DOCX, PPTX, etc.), a crafted document could potentially exploit parsing vulnerabilities in the markitdown library or its dependencies (e.g., python-pptx, pdfminer). This is a standard risk for any document converter but worth noting.