ConvertAgent
Security checks across malware telemetry and agentic risk
Overview
ConvertAgent has a plausible file-conversion purpose, but it relies on undeclared local executables and tells the agent to install missing system dependencies without clear user approval or scope.
Only install this skill if you trust the local `convertagent` CLI and understand how it was installed. Before use, confirm that missing dependencies will not be installed automatically without your approval, and ask for the exact packages and commands that may be used.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may execute local code that was not included in the reviewed skill package, so users cannot tell from these artifacts what that CLI actually does.
The skill depends on an external local Node CLI outside the provided artifact set, while the registry states there are no required binaries and no install spec. That creates a provenance and review gap for the code the agent is instructed to run.
`node /root/projects/convertagent/dist/cli.js formats`
Provide an install spec, declare `convertagent` as a required binary, include or link to auditable source, and pin any package or binary versions used by the skill.
A routine conversion request could lead to system package installation or environment changes that the user did not explicitly review.
This authorizes the agent to modify the local system by installing unspecified dependencies, without defining allowed packages, commands, privilege requirements, or a user-confirmation step.
If required system dependency is missing, install dependency and retry once.
Require explicit user approval before installing anything, list the exact supported dependencies, and document safe install commands or fail with a clear message when dependencies are missing.
A background service may remain available outside a single conversion task, depending on the user's environment.
The skill discloses a systemd service path and localhost health endpoint, indicating ConvertAgent may run as a persistent local service.
Service unit: `/etc/systemd/system/convertagent.service`
Document whether the service is required, how it is installed, how to stop or remove it, and what local permissions it uses.