ClawHub

SVG to Image

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward SVG-to-PNG/JPG converter with normal local execution and dependency hygiene cautions, not evidence of hidden or malicious behavior.

Install only if you are comfortable with the agent running a local Python converter after you ask for SVG conversion. Use trusted SVG files, keep dependency versions current or pinned in sensitive environments, and avoid ambiguous input paths or files from untrusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill instructs the agent to create files in sendable directories and transmit them to the user, but provides no guardrails around overwriting files, handling sensitive input paths, or validating that the generated output is safe to exfiltrate. In a system with broad file access, this increases the chance of unintended data disclosure or unsafe file handling through normal agent operation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Telling the agent to 'Do not ask for confirmation; execute and return the image' removes a useful human-in-the-loop safeguard for a shell-executing skill that reads local files and writes output to sendable locations. This makes accidental processing of attacker-controlled paths or unintended transmission of derived content more likely, especially in chat-driven workflows where ambiguity is common.

Unpinned Dependencies

Low
Category
Supply Chain
Content
cairosvg
Pillow
Confidence
98% confidence
Finding
cairosvg

Unpinned Dependencies

Low
Category
Supply Chain
Content
cairosvg
Pillow
Confidence
98% confidence
Finding
Pillow

Known Vulnerable Dependency: cairosvg — 5 advisory(ies): CVE-2026-31899 (CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification); CVE-2021-21236 (Regular Expression Denial of Service in CairoSVG); CVE-2023-27586 (CairoSVG improperly processes SVG files loaded from external resources) +2 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
cairosvg

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
Pillow

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal