webp-to-jpg
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The instructions in SKILL.md and examples.md direct the AI agent to construct a shell command using 'python -c' that interpolates user-provided file paths directly into a Python code string. This is a classic injection vector. * Ingestion points: File paths from user input. * Boundary markers: None. * Capability inventory: File system write and arbitrary command execution via shell. * Sanitization: None. * Evidence: '<webp_image_path>' interpolation in SKILL.md and examples.md.
- [EXTERNAL_DOWNLOADS] (LOW): The skill requires 'Pillow', a standard and trusted Python image processing library, installed via pip. Evidence: 'pip install Pillow' in README.md and SKILL.md.
Recommendations
- AI detected serious security threats
Audit Metadata