Batch Cad Converter
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: batch-cad-converter Version: 2.0.0 The skill is classified as suspicious due to a significant argument injection vulnerability in `SKILL.md`. The `batch_convert` method allows user-controlled `options` to be directly appended to the command executed via `subprocess.run`. While `subprocess.run` with a list of arguments mitigates shell injection, it remains vulnerable to argument injection, where a malicious user could pass arguments that cause the external converter executables (e.g., `RvtExporter.exe`) to perform unintended actions. This is a critical vulnerability, but not evidence of intentional malice by the skill's author. The `filesystem` permission is declared and necessary for the skill's function.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or untrusted converter program could run with the user's local permissions during conversion.
The skill expects the agent to invoke local converter programs. This is purpose-aligned for CAD conversion, but users should ensure the selected converter binaries and arguments are trusted.
subprocess.run() is used for invoking format-specific CLI converters
Use only trusted, locally installed CAD/BIM converters and confirm the input/output directories and conversion options before running a batch.
The safety and correctness of conversions depend on converter programs already present on the user's machine.
The skill depends on external local converter tools, but the artifacts do not provide an install specification or pinned trusted sources for those tools.
Each converter must be installed locally
Install converters from official vendor sources, avoid unknown executables, and verify which converter will be used before processing important files.