If you discover a security vulnerability in pdf2md, please report it privately:
- Email: jackschofield1@googlemail.com
- Subject: [pdf2md] Security Vulnerability
Please do not file a public GitHub issue for security vulnerabilities.
pdf2md is a local CLI tool. It:
- Reads PDF files from your local filesystem
- Sends extracted text to the Google Gemini API (when AI mode is enabled)
- Writes Markdown output to your local filesystem
- Command injection vulnerabilities
- API key exposure
- File path traversal
- Unsafe temp file handling
- Google Gemini API security (report to Google)
- PyMuPDF vulnerabilities (report to the PyMuPDF project)
- Never commit your
GEMINI_API_KEYto source control - Be cautious when processing untrusted PDFs — malformed PDFs can exploit parser bugs in PyMuPDF
- Review the extracted text before sharing, as it may contain sensitive information