blog-figure-svg
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use installed local image tools and create generated SVG/PNG files in the working directory.
The skill tells the agent/user to run local image conversion and compression tools to create PNG outputs. This is expected for the stated SVG figure workflow, but it is still local command execution.
ImageMagick (`magick` command) ... `rsvg-convert` ... `inkscape` ... `cairosvg in.svg -W 1600 -o out.png` ... Plus `pngquant` (or `oxipng`) for compression
Run it in the intended project folder, keep the generated paths scoped to tmp/blog-drafts, and review the SVG/PNG before uploading or publishing.
If missing tools are installed, normal package-manager or Python package supply-chain risk applies.
The instructions mention optional third-party tools and an unpinned pip package, while there is no install spec. This is purpose-aligned setup guidance, not hidden execution, but users should choose trusted package sources.
`pip install cairosvg`; ... install one of magick, rsvg-convert, inkscape, cairosvg ... install pngquant or oxipng
Install dependencies from trusted package managers, pin versions where appropriate, and avoid installing unfamiliar packages solely because a draft needs rasterization.