Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ConvertAgent
v0.1.0Use ConvertAgent for file format conversions through the local CLI. Trigger for any request to convert files (documents, images, audio, video, spreadsheets,...
⭐ 0· 267·1 current·1 all-time
bySenthil@enigami12
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to use a local CLI (convertagent) and even references a Node CLI at /root/projects/convertagent/dist/cli.js and a systemd unit. However the metadata declares no required binaries, no install spec, and no config paths. A conversion skill legitimately needs a conversion binary/service and possibly Node; those should be declared. Omitting them is an incoherence.
Instruction Scope
Runtime instructions reference system paths (/root/projects/convertagent, /etc/systemd/system/convertagent.service), a localhost HTTP health endpoint, and direct shell commands. They also instruct the agent to install missing system dependencies and to verify/modify files. This expands scope beyond simple file conversion (it touches system config and performs installs) and is not limited or documented in the metadata.
Install Mechanism
There is no install spec, yet the SKILL.md tells the agent to install missing system dependencies and points to a local Node CLI path. No sources, package names, or trusted release hosts are provided. That creates risk: the agent may be instructed to run package-manager or arbitrary install commands without guidance or provenance.
Credentials
The skill requests no environment variables or credentials, which is appropriate for a local conversion tool. However it implicitly expects access to system paths (root-owned repo path, systemd unit) that grant elevated privileges; those accesses are not declared and may be disproportionate.
Persistence & Privilege
The instructions imply modifying system state (installing dependencies, interacting with a systemd unit) which is a privileged action. While the skill isn't marked always:true, its guidance to install system dependencies and reference /etc/systemd may cause permanent or privileged system changes if the agent follows it.
What to consider before installing
This skill's instructions assume a local ConvertAgent service and Node CLI at /root/projects/convertagent and tell the agent to install missing system dependencies — but the package/metadata provide no install instructions or required binaries. Before installing or enabling this skill:
- Verify whether convertagent and Node are actually installed where the SKILL.md expects. If not, ask the author for explicit, trusted install steps (including package names, sources, and whether root is required).
- Treat any guidance that installs system packages or touches /etc/systemd as high-risk: run in a sandbox or isolated VM, or review and run those install steps manually yourself.
- Inspect the repository and systemd unit referenced (/root/projects/convertagent and /etc/systemd/system/convertagent.service) before letting the agent execute anything there.
- Prefer a skill that declares required binaries (e.g., node, convertagent), provides official download/release URLs, or includes an install spec rather than implicit install instructions.
If the author provides a clear install spec (trusted release URLs, required binaries listed) and removes instructions to modify system units or to auto-install packages, the assessment could be re-evaluated as less risky.Like a lobster shell, security has layers — review code before you run it.
latestvk97a184zj55n83c79x2mycfes582fkep
License
MIT-0
Free to use, modify, and redistribute. No attribution required.