ClawHub

Icon

PassAudited by ClawScan on May 10, 2026.

Overview

The skill appears to be a straightforward local icon utility, with normal file-write and image-converter risks for this purpose.

This looks safe for normal project icon work. Before installing, note that it runs a local bash script, may call installed image-conversion tools, and writes files to the paths you specify; use trusted input images and project-scoped output folders.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

The skill can create or replace local icon files in directories the agent is told to use.

Why it was flagged

The script creates directories and writes icon output files based on user-supplied command options. This is expected for the skill, but users should be aware it can write to chosen local paths.

Skill content
ensure_dir() { ... mkdir -p "$1" ... }
local outfile="${output}/${name}.svg"
Recommendation

Use explicit project-local output folders and review paths before running batch generation, resize, or conversion commands.

Low
#ASI05: Unexpected Code Execution
What this means

Conversion results depend on locally installed image tools, and untrusted image files may be processed by those tools.

Why it was flagged

The script invokes local image-conversion binaries when available. That is purpose-aligned for icon conversion, but it means selected image files are parsed by system tools.

Skill content
if command -v convert &>/dev/null; then ... convert -background none -resize "${s}x${s}" "$input" "$outf"
elif command -v rsvg-convert &>/dev/null; then ... rsvg-convert -w "$s" -h "$s" "$input" -o "$outf"
Recommendation

Use trusted source images and keep local image-processing tools updated.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users may need bash and possibly local converter tools even though the registry requirement section does not fully declare them.

Why it was flagged

The registry metadata reports version 3.4.1 and no required binaries, while SKILL.md declares version 3.4.0 and a bash requirement. This is a small metadata/provenance inconsistency, not evidence of malicious behavior.

Skill content
version: "3.4.0" ... ## Requirements
- bash 4+
Recommendation

Verify the installed skill version and ensure required local tools are present before relying on conversion commands.