ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SVG to Image

v1.1.1

Convert SVG to PNG or JPG for quick sharing (e.g. Telegram) or print.

0· 635·1 current·1 all-time
byAddinCui@qrost
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the provided code and instructions. The included Python script (cairosvg + Pillow) directly implements SVG→PNG/JPG conversion, and the declared dependencies align with that purpose.
Instruction Scope
SKILL.md instructs the agent to run the script directly (exec) and to not ask for confirmation when the user requests a conversion. The instructions require output files be placed in allowed media dirs (/tmp or ~/.openclaw/media/) which limits exfiltration of results. However, the script uses cairosvg.svg2png with the 'url' parameter: if given a URL or SVG that references external resources, cairosvg may perform network fetches (possible SSRF or unexpected outbound requests). This is a runtime risk inherent to converting arbitrary SVG inputs.
Install Mechanism
No installation spec is provided (instruction-only), so nothing arbitrary is downloaded by the skill itself. The README asks the operator to pip install requirements.txt and to install system libcairo2 which is normal for this task.
Credentials
The skill requests no environment variables, credentials, or config paths. Its resource access (local file paths provided as arguments) is proportionate to converting files.
Persistence & Privilege
always:false (no forced presence). The SKILL.md explicitly tells the agent to execute conversions without asking for confirmation; combined with the platform's normal autonomous invocation, this gives the skill the ability to run the conversion script automatically when triggered. That is not itself incorrect for a conversion utility, but users should be aware it will execute code on-demand.
Assessment
This skill is functionally what it says, but review these points before installing: (1) You must install cairosvg, Pillow, and system libcairo2 yourself; install from official sources (pip, distro repos). (2) The agent will run the included Python script automatically (no confirmation) when asked to convert; make sure you trust the input. (3) SVGs can reference external resources — cairosvg may fetch them, which could leak requests to internal services (SSRF) or cause outbound network activity. Avoid converting untrusted or unknown SVGs, or run the skill in a sandboxed environment. (4) Follow the SKILL.md instruction to write output to allowed media dirs (/tmp or ~/.openclaw/media/) so the agent can send the file. If you want stronger guarantees, consider modifying the script to disable URL fetching or validate/clean SVG inputs before rasterizing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cdzh12qp7nwxpws7w38th3n81jrdq
635downloads
0stars
2versions
Updated 8h ago
v1.1.1
MIT-0
AddinCui@qrost
latest
Download

SVG to Image

Convert SVG files to PNG or JPG. Useful when you have vector graphics (e.g. from map-grabber, diagrams, or design tools) and need a raster image to send in chat or use in documents.

Dependencies

  • cairosvg (SVG rendering)
  • Pillow (only for JPG output)

Setup: OpenClaw does not install Python packages automatically. After installing this skill, run once: pip install -r requirements.txt (from the skill folder). On Linux (e.g. Ubuntu/Debian), install the Cairo library first: sudo apt install libcairo2. If a script fails with ModuleNotFoundError or a cairo library error, install the missing package or system library.

Usage

Convert SVG to PNG or JPG

Parameters:

  • input: Path to the SVG file.
  • -o, --output: Output file path (default: same name as input with .png or .jpg).
  • -f, --format: png (default) or jpg.
  • --width, --height: Optional output size in pixels (keeps aspect ratio if only one is set).
  • --dpi: Scale for rasterization (default 96).
# SVG to PNG (default)
python3 scripts/convert_svg.py drawing.svg -o drawing.png

# SVG to JPG
python3 scripts/convert_svg.py drawing.svg -f jpg -o drawing.jpg

# Fixed width 800px (height auto)
python3 scripts/convert_svg.py map.svg -o map.png --width 800

Sending images to Telegram

Used from the OpenClaw Telegram conversation. Run the script with -o <path>.png or -o <path>.jpg, then send that file to the user via the OpenClaw message/media tool.

OpenClaw allowed paths: The message tool only sends files from allowed dirs (~/.openclaw/media/, ~/.openclaw/agents/, or /tmp). Use e.g. -o ~/.openclaw/media/out.png or -o /tmp/out.png; do not use the skill install directory or sending will fail.

Agent behavior: When the user asks to convert an SVG to PNG or JPG (or "send as image"), run the script directly with exec: use convert_svg.py <svg_path> -o <output>.png (or -f jpg) with output path under an allowed dir, then send the generated image. Do not ask for confirmation; execute and return the image.

Examples

User: "Convert this SVG to PNG so I can send it in Telegram."
Action: Run convert_svg.py <path> -o /tmp/out.png, then send the PNG to the user.

User: "Turn map.svg into a JPG, 1200px wide."
Action: Run with -f jpg -o /tmp/map.jpg --width 1200, then send the JPG.

Comments

Loading comments...