ClawHub
Back to skill
v1.0.0

SVG Draw

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:24 AM.

Analysis

This is a coherent SVG drawing and PNG conversion helper; users should mainly notice that it runs a local SVG converter and depends on rsvg-convert being available.

GuidanceThis skill appears safe for its stated purpose. Before installing, be aware that it will write image files and invoke the local rsvg-convert tool; choose output paths carefully, verify rsvg-convert is installed from a trusted source, and confirm any external messaging destination before sharing generated images.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/svg_to_png.sh
rsvg-convert -w "$WIDTH" -h "$HEIGHT" "$INPUT" -o "$OUTPUT"

The bundled script executes a local system converter using supplied input/output paths and dimensions. This is the core advertised PNG conversion behavior, but it is still local command execution and file output.

User impactThe skill can cause the agent to run rsvg-convert and create or overwrite the specified PNG output file.
RecommendationUse normal workspace/output paths, avoid overwriting important files, and ensure rsvg-convert is a trusted system binary.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
Confirm `rsvg-convert` is installed: `which rsvg-convert`

The documentation discloses reliance on rsvg-convert, while the registry requirements list no required binaries and there is no install spec. This is a metadata/dependency declaration gap, not hidden behavior.

User impactThe skill may fail unless rsvg-convert is already installed, and users may need to verify the system-provided converter themselves.
RecommendationDeclare rsvg-convert as a required binary in metadata and use a trusted OS package source if installing it.
Tool Misuse and Exploitation
SeverityLowConfidenceMediumStatusNote
SKILL.md
Send via the appropriate channel (DingTalk, Telegram, etc.)

The workflow suggests sharing the generated image through external messaging channels. This is consistent with delivering artwork, but channel/recipient choice should remain user-directed.

User impactIf the agent has messaging tools available, it may use this skill as part of sending the generated image externally.
RecommendationConfirm the destination and recipient before sending generated images through third-party channels.