← 返回 Skills 市场
SVG Animator
作者
juliantsaiii
· GitHub ↗
· v1.0.0
436
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install svg-animator
功能描述
Generate animated videos from SVG frames using text LLM. Supports any subject (animals, humans, characters, scenes, abstract art), automatic duration calcula...
安全使用建议
This skill is mostly coherent for generating SVG frames and assembling them into videos using local tools (ffmpeg and rsvg-convert). Before installing or running it: 1) Understand it runs local shell commands and writes files (default /tmp) — test in an isolated/sandbox environment. 2) Ensure ffmpeg and rsvg-convert are installed from your OS package manager. 3) Inspect scripts/animate.js for any execSync calls that include unsanitized user-supplied strings (output paths, --theme, --story). If you allow untrusted input, escape or validate it to avoid command injection. 4) The description mentions using a text LLM to generate SVG; the code does not contact any LLM API or require API keys — this is likely because the agent/LLM is expected to produce SVG text. If you need a networked LLM integration, confirm how credentials would be provided. 5) Avoid running this as root and avoid auto-copying outputs into webserver directories without checking file ownership/permissions. If you want higher assurance, run the script in a container or review the full, untruncated animate.js to confirm there are no unexpected execSync invocations or hidden network calls.
功能分析
Type: OpenClaw Skill
Name: svg-animator
Version: 1.0.0
The skill provides a utility for generating SVG-based animations but contains a shell injection vulnerability in `scripts/animate.js`. The `--output` command-line argument is used directly within an `execSync` call to `ffmpeg` without sanitization, which could allow for arbitrary command execution if a malicious path is provided. While the code logic aligns with the stated purpose and no evidence of intentional malice or data exfiltration was found, the lack of input validation on shell-executed commands poses a security risk.
能力评估
Purpose & Capability
Name and description claim 'use text LLM to generate SVG code' and 'no video API needed'. The SKILL.md instructs the agent to use its text model to generate SVG snippets and then use local tooling (rsvg-convert, ffmpeg) to render/encode. The included script (scripts/animate.js) programmatically generates SVG frames from a 'theme' string rather than calling any external LLM APIs. This is explainable (the agent/LLM itself could generate SVG text), but the description may lead users to expect networked LLM integration or API keys which are not present.
Instruction Scope
SKILL.md directs the agent and the script to write files to /tmp, convert SVG→PNG with rsvg-convert, and encode with ffmpeg. It also suggests copying output into an nginx directory to serve files. The instructions invoke shell commands (rsvg-convert, ffmpeg) and write to filesystem paths provided by the user (e.g., output path). There is no instruction to read unrelated system files or environment variables, but executing shell commands with user-supplied paths can be risky if inputs are not sanitized.
Install Mechanism
No install spec (instruction-only) and a single JS script included. This is low risk in terms of untrusted downloads. The skill requires system binaries (ffmpeg, rsvg-convert) that must be present; SKILL.md explicitly documents that requirement.
Credentials
The skill requests no environment variables or credentials (appropriate for its stated purpose). The code uses child_process.execSync to run external tools; if the script or agent interpolates untrusted user input into shell commands, that could permit command injection or privilege misuse. No network endpoints or secrets are requested.
Persistence & Privilege
always:false and no evidence of the skill attempting to alter other skills or global agent configuration. It writes temporary files under /tmp and may suggest copying to an nginx directory (user action). The skill does not appear to request persistent elevated privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install svg-animator - 安装完成后,直接呼叫该 Skill 的名称或使用
/svg-animator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Generate animated videos from SVG frames. Supports any subject (animals, humans, scenes), automatic duration, and multi-scene stories. Uses text LLM to write SVG code, then ffmpeg to合成视频。
元数据
常见问题
SVG Animator 是什么?
Generate animated videos from SVG frames using text LLM. Supports any subject (animals, humans, characters, scenes, abstract art), automatic duration calcula... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 436 次。
如何安装 SVG Animator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install svg-animator」即可一键安装,无需额外配置。
SVG Animator 是免费的吗?
是的,SVG Animator 完全免费(开源免费),可自由下载、安装和使用。
SVG Animator 支持哪些平台?
SVG Animator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SVG Animator?
由 juliantsaiii(@juliantsaiii)开发并维护,当前版本 v1.0.0。
推荐 Skills