lovstudio-png2svg

Pass

Audited by Gen Agent Trust Hub on Jun 5, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill core functionality relies on executing shell commands for image processing and file cleanup using tools such as magick, vtracer, svgo, and rm as defined in SKILL.md.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by interpolating user-provided file paths directly into shell commands without sanitization.
  • Ingestion points: External inputs INPUT_PNG and OUTPUT_SVG are used to build command strings in SKILL.md.
  • Boundary markers: No delimiters or safety warnings are present to isolate the interpolated variables from the surrounding shell command logic.
  • Capability inventory: The skill performs multiple subprocess calls (magick, vtracer, npx svgo, rm) as documented in SKILL.md.
  • Sanitization: The skill does not perform any validation, escaping, or sanitization of the file paths before they are executed in the shell environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 5, 2026, 03:25 AM
Security Audit — agent-trust-hub — lovstudio-png2svg