OpenGFX
v1.3.1Generate complete logo systems with icon + wordmark + lockups. Creates production-ready SVG vector logos from natural language prompts. Use when a user reque...
⭐ 0· 948·0 current·0 all-time
by@aklo360
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and all instruction files consistently describe producing SVG icons, wordmarks, lockups, and a JSON manifest; the required outputs and design rules align with the stated purpose.
Instruction Scope
The SKILL.md and LEARNINGS.md stay focused on logo generation, but they also describe an end-to-end autonomous pipeline that 'Upload[s] to R2' and reference a validation endpoint (https://opengfx.aklo.io/validate/logo-system). Those external-network actions are not detailed (no endpoints/calls in instructions beyond the schema note) and could cause data to be transmitted off-agent; the skill does not declare how uploads or network transfers are authenticated or authorized.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal disk/network install risk. The regex scanner had nothing to analyze, so there is no hidden installer in repository files.
Credentials
The skill declares no required env vars or credentials, which is consistent for a purely instruction-only design task. However, the pipeline references uploading to R2 and a remote validation API; if the runtime will actually perform uploads, credentials (R2 keys, API tokens) would be necessary but are not declared. This gap is ambiguous and should be clarified before use.
Persistence & Privilege
always is false, and the skill is instruction-only and does not request to persist or modify other skill/system settings. Autonomous invocation is allowed (platform default) but not combined with any declared escalation privileges.
Scan Findings in Context
[no-findings] expected: Regex scanner had no findings because this is an instruction-only skill (no code files). That absence is expected but not evidence of safety — the SKILL.md still references external endpoints.
What to consider before installing
This skill looks like a legitimate, self-contained logo-generation recipe (SVGs + JSON). Two things to check before installing or enabling it for autonomous runs: (1) clarify whether the agent will upload generated files to external services (the docs mention 'Upload to R2' and a validation API). If so, ask which endpoint(s) are used and what credentials are required and stored — the package currently declares no env vars for that. (2) Confirm privacy/compliance: will user-provided brand names, assets, or prompts be sent to third parties? If you plan to let the agent run this autonomously, require explicit confirmation of where outputs go and how credentials are handled. If the publisher cannot explain how external uploads are authenticated or why credentials are not declared, treat the skill as higher risk and avoid granting it autonomous access to sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk97689tny86bmf2jwwc9hq0shh8276ea
License
MIT-0
Free to use, modify, and redistribute. No attribution required.