blog-figure-svg
PassAudited by ClawScan on May 13, 2026.
Overview
The skill appears to be a benign blog-figure generator, with expected local image-file creation and optional image-tool setup that users should review.
This looks safe for its stated purpose. Before using it, make sure any optional rasterizer/compressor tools are installed from trusted sources, run it in the correct project directory, and review generated images before uploading them to a blog or CDN.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use installed local image tools and create generated SVG/PNG files in the working directory.
The skill tells the agent/user to run local image conversion and compression tools to create PNG outputs. This is expected for the stated SVG figure workflow, but it is still local command execution.
ImageMagick (`magick` command) ... `rsvg-convert` ... `inkscape` ... `cairosvg in.svg -W 1600 -o out.png` ... Plus `pngquant` (or `oxipng`) for compression
Run it in the intended project folder, keep the generated paths scoped to tmp/blog-drafts, and review the SVG/PNG before uploading or publishing.
If missing tools are installed, normal package-manager or Python package supply-chain risk applies.
The instructions mention optional third-party tools and an unpinned pip package, while there is no install spec. This is purpose-aligned setup guidance, not hidden execution, but users should choose trusted package sources.
`pip install cairosvg`; ... install one of magick, rsvg-convert, inkscape, cairosvg ... install pngquant or oxipng
Install dependencies from trusted package managers, pin versions where appropriate, and avoid installing unfamiliar packages solely because a draft needs rasterization.