Skills
skills/boshu2/agentops/converter/Gen Agent Trust Hub

converter

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/convert.sh script utilizes rsync -a --copy-links to process resource directories. By following symbolic links, the script could be induced to copy sensitive system files or directories into the converter's output folder if a source skill contains malicious symlinks.
  • [COMMAND_EXECUTION]: The conversion pipeline includes a clean-up step that executes rm -rf on an output directory path. Part of this path is constructed using the name field from the skill's YAML frontmatter. Because this field is not sanitized for path traversal sequences (such as ../), a malformed skill name could potentially cause the script to delete unintended files or directories outside of the designated converter directory.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 12:17 PM
Security Audit — agent-trust-hub — converter