ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SVG to Image

v1.1.1

Convert SVG to PNG or JPG for quick sharing (e.g. Telegram) or print.

0· 611·1 current·1 all-time
byAddinCui@qrost
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the provided code and instructions. The included Python script (cairosvg + Pillow) directly implements SVG→PNG/JPG conversion, and the declared dependencies align with that purpose.
Instruction Scope
SKILL.md instructs the agent to run the script directly (exec) and to not ask for confirmation when the user requests a conversion. The instructions require output files be placed in allowed media dirs (/tmp or ~/.openclaw/media/) which limits exfiltration of results. However, the script uses cairosvg.svg2png with the 'url' parameter: if given a URL or SVG that references external resources, cairosvg may perform network fetches (possible SSRF or unexpected outbound requests). This is a runtime risk inherent to converting arbitrary SVG inputs.
Install Mechanism
No installation spec is provided (instruction-only), so nothing arbitrary is downloaded by the skill itself. The README asks the operator to pip install requirements.txt and to install system libcairo2 which is normal for this task.
Credentials
The skill requests no environment variables, credentials, or config paths. Its resource access (local file paths provided as arguments) is proportionate to converting files.
Persistence & Privilege
always:false (no forced presence). The SKILL.md explicitly tells the agent to execute conversions without asking for confirmation; combined with the platform's normal autonomous invocation, this gives the skill the ability to run the conversion script automatically when triggered. That is not itself incorrect for a conversion utility, but users should be aware it will execute code on-demand.
Assessment
This skill is functionally what it says, but review these points before installing: (1) You must install cairosvg, Pillow, and system libcairo2 yourself; install from official sources (pip, distro repos). (2) The agent will run the included Python script automatically (no confirmation) when asked to convert; make sure you trust the input. (3) SVGs can reference external resources — cairosvg may fetch them, which could leak requests to internal services (SSRF) or cause outbound network activity. Avoid converting untrusted or unknown SVGs, or run the skill in a sandboxed environment. (4) Follow the SKILL.md instruction to write output to allowed media dirs (/tmp or ~/.openclaw/media/) so the agent can send the file. If you want stronger guarantees, consider modifying the script to disable URL fetching or validate/clean SVG inputs before rasterizing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cdzh12qp7nwxpws7w38th3n81jrdq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments