Rvt To Ifc

The skill is suspicious due to its reliance on executing an external, unsanitized `RVT2IFCconverter.exe` via `subprocess.run` in `SKILL.md`. While `subprocess.run` is used with a list of arguments (mitigating direct shell injection from Python), the arguments themselves, particularly the `config` string, are constructed from potentially user-controlled input without explicit sanitization. This creates a potential command injection vulnerability if the external executable is not robust in parsing its arguments, and if the AI agent does not sanitize user input before passing it to the skill's functions. The skill also requests `filesystem` permission, which is necessary for its stated purpose but amplifies the risk of any such injection.