Skills
skills/lovstudio/skills/lovstudio-png2svg/Gen Agent Trust Hub

lovstudio-png2svg

Pass

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md directly interpolate user-provided variables (INPUT_PNG, OUTPUT_SVG) into shell commands without quoting or sanitization. This creates a surface for command injection if a user provides a malicious file path (e.g., including ; or backticks).
  • Ingestion points: The variables INPUT_PNG and OUTPUT_SVG are extracted from user input.
  • Boundary markers: Absent. There are no instructions or delimiters provided to treat these variables as literal strings or to ignore embedded shell metacharacters.
  • Capability inventory: The skill utilizes the Bash tool to execute magick, vtracer, npx, and rm commands in SKILL.md.
  • Sanitization: No sanitization, escaping, or shell-quoting is applied to the input variables before they are passed to the shell.
Audit Metadata
Risk Level
SAFE
Analyzed
May 7, 2026, 06:36 AM