SF Symbol generator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: sfsymbol-generator Version: 1.0.0 The skill bundle is benign. Its scripts perform local file system operations (creating directories, copying files, reading/writing SVGs and JSON) and SVG content manipulation, all of which are directly aligned with its stated purpose of generating Xcode SF Symbol asset catalogs. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. All file access is localized and necessary for the skill's functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong asset directory or an unusual symbol name, the skill could create or overwrite asset files outside the location the user intended.
The script creates directories, copies the SVG, and writes Contents.json based on command-line arguments. This is core to the skill’s purpose, but it means the selected paths directly control project file creation.
symbolset_dir="$assets_dir/${symbol_name}.symbolset"
mkdir -p "$symbolset_dir"
cp "$svg_path" "$symbolset_dir/$svg_filename"
cat > "$symbolset_dir/Contents.json" <<EOFRun it from the intended project, use simple SF Symbol-style names without path separators, review the generated path, and keep the project under version control so changes are reversible.
Using the skill runs local code that reads an SVG and writes generated asset files.
The skill is instruction-only but tells the user or agent to execute included local Bash/Node scripts. That execution is expected for this generator and is not hidden.
./scripts/generate.sh <symbol-name> <svg-path> [assets-dir] ./scripts/generate-from-template.js <symbol-name> <svg-path> [template-svg] [assets-dir]
Only run the scripts in projects where you are comfortable allowing local file changes, and inspect the script contents if the source is not trusted.
Users have less external provenance to verify and may encounter undeclared runtime requirements.
The skill has limited provenance metadata and does not declare the Bash/Node runtime implied by the included scripts. This is a disclosure/provenance gap, not evidence of malicious behavior.
Source: unknown Homepage: none No install spec — this is an instruction-only skill. Required binaries (all must exist): none
Install only if you trust the registry entry, and verify the included scripts before use, especially because the JavaScript source display is partially truncated in the supplied artifact view.