← MCP Scorecard / microsoft/markitdown
BLow risk

microsoft/markitdown

composite 94 / 100 · pinned commit e144e0a2be95 · ruleset pack-mcp-core@0.1.0 · 32,981/wk
Grade capped at Bhigh-unresolved:cap-B.
Tool-description injection w20100
Credential / secret handling w20100
Network egress / SSRF w2075
Permission scope vs declared w25100
Supply-chain provenance w1590

Findings

Each finding names the rule it triggered, what that rule means, its CWE reference, and the line of code it points at. An observed code path, published as a flow, never as intent.

High  MCP-SSRF-USER-CONTROLLED-URL

an HTTP request (incl. wrapped local fetch helpers) targets a host derived from tool input with no allowlist

packages/markitdown-mcp/src/markitdown_mcp/__main__.py:21
Medium  MCP-DEPS-UNPINNED

no committed lockfile, so installs are not reproducible

packages/markitdown-mcp/pyproject.toml:26

Embed this grade

MCP security: grade BMCP securityB
Grade B — Low risk
[![MCP security: B](https://sentinel-engine-ggaj.onrender.com/registry/badge/microsoft__markitdown.svg)](https://sentinel-engine-ggaj.onrender.com/registry/microsoft__markitdown.html)

🔁 Verify it yourself: clone microsoft/markitdown at e144e0a2be95 and run the open scanner (anwen-labs/sentinel-mcp, ruleset pack-mcp-core@0.1.0). Same input → same grade, every time.