svg-to-png

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the skill's dependency may add npm packages and native image-processing components to the current project or directory.

Why it was flagged

The skill requires installing a third-party npm dependency. This is purpose-aligned for image conversion, but users should recognize that npm installation changes the local environment and depends on external package provenance.

Skill content

在使用该技能前，需要在当前目录安装 sharp：

```bash
npm install sharp
```

Recommendation

Install dependencies in a project or sandbox you control, and prefer using the included package-lock/package.json workflow where possible.

Note

ASI02: Tool Misuse and Exploitation

What this means

A selected output path could be overwritten by the generated PNG.

Why it was flagged

The script writes an output file to the provided PNG path. This is exactly what the converter is meant to do, but users should be aware it can create or replace files at the chosen output location.

Skill content

await sharp(svgPath)
      .resize(size, size)
      .png()
      .toFile(pngPath);

Recommendation

Confirm the input and output paths before running the conversion, especially when using an existing filename.