lovstudio-png2svg
Pass
Audited by Gen Agent Trust Hub on Jun 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill core functionality relies on executing shell commands for image processing and file cleanup using tools such as
magick,vtracer,svgo, andrmas defined inSKILL.md. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by interpolating user-provided file paths directly into shell commands without sanitization.
- Ingestion points: External inputs
INPUT_PNGandOUTPUT_SVGare used to build command strings inSKILL.md. - Boundary markers: No delimiters or safety warnings are present to isolate the interpolated variables from the surrounding shell command logic.
- Capability inventory: The skill performs multiple subprocess calls (
magick,vtracer,npx svgo,rm) as documented inSKILL.md. - Sanitization: The skill does not perform any validation, escaping, or sanitization of the file paths before they are executed in the shell environment.
Audit Metadata