ClawHub

Image to SVG

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local image-to-SVG converter, with ordinary file-output and dependency risks users should manage.

Install only if you are comfortable with a local Python script reading chosen image files and writing SVG outputs. Use trusted input images, avoid sensitive or important output paths, check before overwriting files, prefer embed mode for portability, and install a current patched Pillow version from a trusted package source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp1

High
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The script creates directories and writes an SVG to a user-controlled output path, so it has file-write behavior that is not represented in the declared permissions. Undeclared write access is dangerous because it can overwrite user files or place crafted SVGs in unexpected locations, especially in a skill with shell execution permission where reviewers may underestimate filesystem impact.

Lp1

High
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The script creates directories and writes an SVG to a user-controlled output path, so it has file-write behavior that is not represented in the declared permissions. Undeclared write access is dangerous because it can overwrite user files or place crafted SVGs in unexpected locations, especially in a skill with shell execution permission where reviewers may underestimate filesystem impact.

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow
Confidence
99% confidence
Finding
Pillow

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
Pillow

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal