SF Symbol generator
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong asset directory or an unusual symbol name, the skill could create or overwrite asset files outside the location the user intended.
The script creates directories, copies the SVG, and writes Contents.json based on command-line arguments. This is core to the skill’s purpose, but it means the selected paths directly control project file creation.
symbolset_dir="$assets_dir/${symbol_name}.symbolset"
mkdir -p "$symbolset_dir"
cp "$svg_path" "$symbolset_dir/$svg_filename"
cat > "$symbolset_dir/Contents.json" <<EOFRun it from the intended project, use simple SF Symbol-style names without path separators, review the generated path, and keep the project under version control so changes are reversible.
Using the skill runs local code that reads an SVG and writes generated asset files.
The skill is instruction-only but tells the user or agent to execute included local Bash/Node scripts. That execution is expected for this generator and is not hidden.
./scripts/generate.sh <symbol-name> <svg-path> [assets-dir] ./scripts/generate-from-template.js <symbol-name> <svg-path> [template-svg] [assets-dir]
Only run the scripts in projects where you are comfortable allowing local file changes, and inspect the script contents if the source is not trusted.
Users have less external provenance to verify and may encounter undeclared runtime requirements.
The skill has limited provenance metadata and does not declare the Bash/Node runtime implied by the included scripts. This is a disclosure/provenance gap, not evidence of malicious behavior.
Source: unknown Homepage: none No install spec — this is an instruction-only skill. Required binaries (all must exist): none
Install only if you trust the registry entry, and verify the included scripts before use, especially because the JavaScript source display is partially truncated in the supplied artifact view.