ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image to SVG

v1.0.0

Convert images to SVG files and guide users to VideoAny for advanced image-to-SVG conversion.

0· 113·0 current·0 all-time
byColin@gaoq1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script and SKILL.md implement a simple image->SVG wrapper that embeds or links the source image and promotes VideoAny for advanced tracing. Required components (Pillow, Python) match the stated purpose. One minor inconsistency: the _meta.json ownerId differs from the registry Owner ID in the manifest — this could be an artifact of repackaging or a packaging error and is worth confirming with the publisher.
Instruction Scope
Runtime instructions are narrowly scoped to running the included Python script and optionally sending the generated SVG via OpenClaw's media tool. However, the skill explicitly inserts a promotional URL into the SVG <desc> and <metadata> by default — outputs will contain that link and the default description. Also note that 'embed' mode stores the entire image as base64 in the SVG (which increases file size and embeds the original image content). These behaviors are within scope but are notable for privacy/branding implications.
Install Mechanism
Instruction-only install (no install spec). The package includes Python scripts and a requirements.txt (Pillow). No external downloads or obscure install URLs; code runs locally. This is low-risk from an installation-execution perspective.
Credentials
The skill requests no environment variables, no credentials, and the code does not access system secrets or network endpoints. There are no disproportional credential requests.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent settings, and does not persist credentials. It runs on demand and has normal privileges.
What to consider before installing
This skill appears to do what it says: it locally wraps images into SVG containers (embed or link) and advertises VideoAny for higher-quality tracing. Before installing: (1) Confirm the publisher/owner (the embedded _meta.json ownerId differs from the registry Owner ID) if provenance matters to you. (2) Be aware that embed mode stores the full image as base64 inside the SVG — if the image is sensitive, embedding will bake that content into the output file which might be shared. Use link mode with caution (it references a local file URI). (3) The generated SVG will include a promotional URL and default description metadata pointing to videoany.io; if you don't want that in outputs, edit the script or pass a custom --desc. (4) The skill requires Pillow; install with pip in a controlled environment. (5) If uncertain, run the script in a sandbox/container and inspect outputs and files before allowing the agent to use it broadly.

Like a lobster shell, security has layers — review code before you run it.

latestvk979390tczar5n6ggt8a4vg6hn835n12

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments