← Back to Skills Marketplace
SVG Artist
by
juliantsaiii
· GitHub ↗
· v1.0.0
478
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install svg-artist
Description
Generate SVG images using text LLM instead of image generation APIs. Use when user wants to create illustrations, icons, cartoons, diagrams, or any visual co...
Usage Guidance
This skill appears to do what it says (have the LLM produce SVG and convert it to PNG), but take these precautions before installing or using it:
- Runtime requirements: Ensure Node.js and an SVG-to-PNG tool (rsvg-convert or ImageMagick's convert) are available — the skill does not declare these but its code and docs require them.
- Review the script: The helper uses execSync with string-interpolated commands. If the agent, user, or LLM can control filenames or injected content, that could be exploited (command injection). If you plan to run this in a multi-user or untrusted-input context, request the maintainer to sanitize inputs and use safer APIs (child_process.execFile/spawn with arg arrays, or avoid shell interpolation).
- File handling: The script writes to /tmp and creates .svg/.png files. Confirm that this behavior is acceptable in your environment and that sensitive data won’t be written there.
- If you are the developer or operator: add required-binaries to metadata (node, rsvg-convert/convert), validate/sanitize filenames, avoid node -e with untrusted content, and prefer safe temporary-file APIs.
Given these issues the skill is not evidently malicious, but the missing dependency declarations and the shell-exec patterns make it worth extra caution (hence 'suspicious'). If the author provides updated metadata and safer exec usage, this could be re-classified as benign.
Capability Analysis
Type: OpenClaw Skill
Name: svg-artist
Version: 1.0.0
The skill enables SVG-to-PNG conversion but contains a shell injection vulnerability in `scripts/generate_svg.js` due to the use of `execSync` with unsanitized command-line arguments (file paths). While the instructions in `SKILL.md` describe a legitimate workflow for generating illustrations, the helper script's implementation allows for arbitrary command execution if malicious paths are provided to the conversion utilities.
Capability Assessment
Purpose & Capability
The name/description (generate SVG via LLM) aligns with the included instructions and helper script. However the skill fails to declare necessary runtime binaries: SKILL.md and the script assume Node.js plus an SVG-to-PNG converter (rsvg-convert or ImageMagick 'convert'), but the registry metadata lists no required binaries. This is a modest incoherence (missing dependency declaration) but consistent with the stated purpose.
Instruction Scope
Instructions tell the agent to generate SVG, write files under /tmp, run Node commands and call rsvg-convert/convert. That's within the purpose, but the helper script uses child_process.execSync with interpolated file paths (execSync(`rsvg-convert "${svgPath}" -o "${output}"`)). Combined with the SKILL.md examples that use node -e inline, this creates a practical risk: unvalidated user/LLM-controlled strings could lead to shell/command injection or accidental execution. The SKILL.md also instructs the agent to send file paths (<qqimg>/tmp/image.png), which is platform-specific but not inherently malicious.
Install Mechanism
There is no install spec (instruction-only plus a small helper script). This minimizes supply-chain risk (no remote downloads), but the lack of declared runtime requirements (Node, rsvg-convert/ImageMagick) is an omission. The script writes files to disk and executes local conversion binaries when run.
Credentials
The skill does not request environment variables, credentials, or configuration paths. The script does not access network endpoints or secret-bearing env vars. There is no evidence of disproportionate credential/secret access.
Persistence & Privilege
always is false and the skill is user-invocable. It does not modify other skills or system-wide configs and does not request permanent presence or elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install svg-artist - After installation, invoke the skill by name or use
/svg-artist - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Generate images using text LLM to write SVG code. No image generation API needed. Perfect for cartoons, icons, and simple illustrations.
Metadata
Frequently Asked Questions
What is SVG Artist?
Generate SVG images using text LLM instead of image generation APIs. Use when user wants to create illustrations, icons, cartoons, diagrams, or any visual co... It is an AI Agent Skill for Claude Code / OpenClaw, with 478 downloads so far.
How do I install SVG Artist?
Run "/install svg-artist" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SVG Artist free?
Yes, SVG Artist is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SVG Artist support?
SVG Artist is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SVG Artist?
It is built and maintained by juliantsaiii (@juliantsaiii); the current version is v1.0.0.
More Skills