blog-figure-svg
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: blog-figure-svg Version: 1.0.0 The skill provides Python scripts and shell command templates for generating SVG blog figures and converting them to PNG. A vulnerability exists in SKILL.md where shell command examples for rasterization and compression (using tools like 'magick' and 'pngquant') use unquoted placeholders such as '<slug>'. If the AI agent populates these placeholders with unsanitized user input, it could lead to shell injection and arbitrary command execution. Additionally, the Python scripts lack path sanitization for the 'out_path' argument, potentially allowing for arbitrary file write or path traversal if the agent is manipulated. No evidence of intentional malice or data exfiltration was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use installed local image tools and create generated SVG/PNG files in the working directory.
The skill tells the agent/user to run local image conversion and compression tools to create PNG outputs. This is expected for the stated SVG figure workflow, but it is still local command execution.
ImageMagick (`magick` command) ... `rsvg-convert` ... `inkscape` ... `cairosvg in.svg -W 1600 -o out.png` ... Plus `pngquant` (or `oxipng`) for compression
Run it in the intended project folder, keep the generated paths scoped to tmp/blog-drafts, and review the SVG/PNG before uploading or publishing.
If missing tools are installed, normal package-manager or Python package supply-chain risk applies.
The instructions mention optional third-party tools and an unpinned pip package, while there is no install spec. This is purpose-aligned setup guidance, not hidden execution, but users should choose trusted package sources.
`pip install cairosvg`; ... install one of magick, rsvg-convert, inkscape, cairosvg ... install pngquant or oxipng
Install dependencies from trusted package managers, pin versions where appropriate, and avoid installing unfamiliar packages solely because a draft needs rasterization.