SVG Artist

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill matches its image-generation purpose, but its helper script builds shell commands from an output filename, which could run unintended commands if a crafted filename is used.

Use this skill only with fixed, trusted output paths such as a simple file under /tmp. Do not let untrusted text choose filenames. The publisher should harden the helper script before users rely on it for automated runs.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

High

What this means

If an attacker or untrusted prompt can influence the output filename, they may be able to make the agent run unintended local shell commands.

Why it was flagged

The output path comes from command-line arguments and is inserted into a shell command string without robust escaping; a crafted filename containing shell metacharacters or quotes could cause unintended command execution.

Skill content

const svgPath = output.replace('.png', '.svg'); ... execSync(`rsvg-convert "${svgPath}" -o "${output}"`, { stdio: 'pipe' });

Recommendation

Replace execSync shell strings with execFile or spawn using an argument array, validate output paths, restrict writes to a safe temporary directory, and reject quotes/control characters in filenames.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The skill may fail or use whichever local converter is available, and users may not realize a system dependency is involved.

Why it was flagged

The helper depends on local converter binaries, while the registry requirements list no required binaries; this is disclosed in the documentation but under-declared in metadata.

Skill content

execSync(`rsvg-convert "${svgPath}" -o "${output}"`, { stdio: 'pipe' }); ... execSync(`convert "${svgPath}" "${output}"`, { stdio: 'pipe' });

Recommendation

Declare the required or optional converter binaries in metadata and document safe installation sources.