← Back to Skills Marketplace
SVG Animator
by
juliantsaiii
· GitHub ↗
· v1.0.0
436
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install svg-animator
Description
Generate animated videos from SVG frames using text LLM. Supports any subject (animals, humans, characters, scenes, abstract art), automatic duration calcula...
Usage Guidance
This skill is mostly coherent for generating SVG frames and assembling them into videos using local tools (ffmpeg and rsvg-convert). Before installing or running it: 1) Understand it runs local shell commands and writes files (default /tmp) — test in an isolated/sandbox environment. 2) Ensure ffmpeg and rsvg-convert are installed from your OS package manager. 3) Inspect scripts/animate.js for any execSync calls that include unsanitized user-supplied strings (output paths, --theme, --story). If you allow untrusted input, escape or validate it to avoid command injection. 4) The description mentions using a text LLM to generate SVG; the code does not contact any LLM API or require API keys — this is likely because the agent/LLM is expected to produce SVG text. If you need a networked LLM integration, confirm how credentials would be provided. 5) Avoid running this as root and avoid auto-copying outputs into webserver directories without checking file ownership/permissions. If you want higher assurance, run the script in a container or review the full, untruncated animate.js to confirm there are no unexpected execSync invocations or hidden network calls.
Capability Analysis
Type: OpenClaw Skill
Name: svg-animator
Version: 1.0.0
The skill provides a utility for generating SVG-based animations but contains a shell injection vulnerability in `scripts/animate.js`. The `--output` command-line argument is used directly within an `execSync` call to `ffmpeg` without sanitization, which could allow for arbitrary command execution if a malicious path is provided. While the code logic aligns with the stated purpose and no evidence of intentional malice or data exfiltration was found, the lack of input validation on shell-executed commands poses a security risk.
Capability Assessment
Purpose & Capability
Name and description claim 'use text LLM to generate SVG code' and 'no video API needed'. The SKILL.md instructs the agent to use its text model to generate SVG snippets and then use local tooling (rsvg-convert, ffmpeg) to render/encode. The included script (scripts/animate.js) programmatically generates SVG frames from a 'theme' string rather than calling any external LLM APIs. This is explainable (the agent/LLM itself could generate SVG text), but the description may lead users to expect networked LLM integration or API keys which are not present.
Instruction Scope
SKILL.md directs the agent and the script to write files to /tmp, convert SVG→PNG with rsvg-convert, and encode with ffmpeg. It also suggests copying output into an nginx directory to serve files. The instructions invoke shell commands (rsvg-convert, ffmpeg) and write to filesystem paths provided by the user (e.g., output path). There is no instruction to read unrelated system files or environment variables, but executing shell commands with user-supplied paths can be risky if inputs are not sanitized.
Install Mechanism
No install spec (instruction-only) and a single JS script included. This is low risk in terms of untrusted downloads. The skill requires system binaries (ffmpeg, rsvg-convert) that must be present; SKILL.md explicitly documents that requirement.
Credentials
The skill requests no environment variables or credentials (appropriate for its stated purpose). The code uses child_process.execSync to run external tools; if the script or agent interpolates untrusted user input into shell commands, that could permit command injection or privilege misuse. No network endpoints or secrets are requested.
Persistence & Privilege
always:false and no evidence of the skill attempting to alter other skills or global agent configuration. It writes temporary files under /tmp and may suggest copying to an nginx directory (user action). The skill does not appear to request persistent elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install svg-animator - After installation, invoke the skill by name or use
/svg-animator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Generate animated videos from SVG frames. Supports any subject (animals, humans, scenes), automatic duration, and multi-scene stories. Uses text LLM to write SVG code, then ffmpeg to合成视频。
Metadata
Frequently Asked Questions
What is SVG Animator?
Generate animated videos from SVG frames using text LLM. Supports any subject (animals, humans, characters, scenes, abstract art), automatic duration calcula... It is an AI Agent Skill for Claude Code / OpenClaw, with 436 downloads so far.
How do I install SVG Animator?
Run "/install svg-animator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SVG Animator free?
Yes, SVG Animator is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SVG Animator support?
SVG Animator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SVG Animator?
It is built and maintained by juliantsaiii (@juliantsaiii); the current version is v1.0.0.
More Skills