skills/datadrivenconstruction/ddc_skills_for_ai_agents_in_construction/dwg-to-excel/Gen Agent Trust Hub
dwg-to-excel
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The Python integration in
SKILL.mdusessubprocess.runto invoke a local executable namedDwgExporter.exe. This command execution is the primary mechanism for the skill's file conversion functionality. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by extracting and processing text-based entities (TEXT, MTEXT, and ATTRIB) from untrusted DWG files provided by users.
- Ingestion points: Data is read from the generated Excel file using the
read_entitiesandget_text_contentmethods inSKILL.md. - Boundary markers: The skill does not implement delimiters or 'ignore' instructions for the extracted CAD text content.
- Capability inventory: The skill uses
subprocess.runfor binary execution and hasfilesystempermissions as defined inclaw.json. - Sanitization: There is no explicit sanitization or validation of the text content extracted from the DWG entities before processing.
Audit Metadata