rvt-to-ifc

The Python wrapper itself is low-risk: readable, uses subprocess.run with an argument list (no shell=True), and performs reasonable input checks and simple validation. The primary and material security concern is the unsigned/undisclosed native converter executable (RVT2IFCconverter.exe / RvtExporter). Because the wrapper will execute that binary with the user's privileges and pass user-supplied arguments (paths and config), the executable could perform arbitrary, potentially malicious actions (file system modifications, network communication, credential access/exfiltration). Recommendations: obtain the native converter from a verified source, validate its checksum/signature, run it in an isolated environment (VM/container) before trusting it with sensitive data, and add path sanitization and optional integrity checks in the wrapper. The wrapper should also document provenance, provide safer defaults (e.g., deny writing outside a configured output root), and consider detecting unexpected network activity from the converter.