svg-generator-pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local SVG/PNG asset generator, with ordinary file-output and dependency-declaration caveats to notice.
Reasonable to install if you want a local graphic generator. Before using it, confirm any Node dependencies from a trusted source, choose safe output paths, and avoid passing untrusted text as custom SVG color values.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
PNG conversion may fail unless the user installs the needed dependency, and users may need to choose a trusted installation source themselves.
The PNG conversion helper depends on an external Node package, while the registry/install metadata declares no install spec or required binaries. This is a dependency declaration gap, not evidence of malicious behavior.
const { createCanvas, loadImage } = require('canvas');Declare Node.js and canvas requirements clearly, and preferably include a package manifest or lockfile so users can install dependencies from a trusted, reproducible source.
If invoked with an unintended path it could overwrite or create local files, and untrusted custom color strings could produce unsafe SVG markup for later web use.
Caller-provided values can affect SVG attribute content and the output file path. This is expected for a generator, but it lacks validation or overwrite safeguards.
<stop offset="0%" stop-color="${primaryColor}" /> ... const outputPath = path.resolve(output); ... fs.writeFileSync(outputPath, svgContent);Use normal hex color values, keep outputs inside intended project folders, and consider adding color validation plus confirmation before overwriting existing files.