← 返回 Skills 市场
SVG Artist
作者
juliantsaiii
· GitHub ↗
· v1.0.0
478
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install svg-artist
功能描述
Generate SVG images using text LLM instead of image generation APIs. Use when user wants to create illustrations, icons, cartoons, diagrams, or any visual co...
安全使用建议
This skill appears to do what it says (have the LLM produce SVG and convert it to PNG), but take these precautions before installing or using it:
- Runtime requirements: Ensure Node.js and an SVG-to-PNG tool (rsvg-convert or ImageMagick's convert) are available — the skill does not declare these but its code and docs require them.
- Review the script: The helper uses execSync with string-interpolated commands. If the agent, user, or LLM can control filenames or injected content, that could be exploited (command injection). If you plan to run this in a multi-user or untrusted-input context, request the maintainer to sanitize inputs and use safer APIs (child_process.execFile/spawn with arg arrays, or avoid shell interpolation).
- File handling: The script writes to /tmp and creates .svg/.png files. Confirm that this behavior is acceptable in your environment and that sensitive data won’t be written there.
- If you are the developer or operator: add required-binaries to metadata (node, rsvg-convert/convert), validate/sanitize filenames, avoid node -e with untrusted content, and prefer safe temporary-file APIs.
Given these issues the skill is not evidently malicious, but the missing dependency declarations and the shell-exec patterns make it worth extra caution (hence 'suspicious'). If the author provides updated metadata and safer exec usage, this could be re-classified as benign.
功能分析
Type: OpenClaw Skill
Name: svg-artist
Version: 1.0.0
The skill enables SVG-to-PNG conversion but contains a shell injection vulnerability in `scripts/generate_svg.js` due to the use of `execSync` with unsanitized command-line arguments (file paths). While the instructions in `SKILL.md` describe a legitimate workflow for generating illustrations, the helper script's implementation allows for arbitrary command execution if malicious paths are provided to the conversion utilities.
能力评估
Purpose & Capability
The name/description (generate SVG via LLM) aligns with the included instructions and helper script. However the skill fails to declare necessary runtime binaries: SKILL.md and the script assume Node.js plus an SVG-to-PNG converter (rsvg-convert or ImageMagick 'convert'), but the registry metadata lists no required binaries. This is a modest incoherence (missing dependency declaration) but consistent with the stated purpose.
Instruction Scope
Instructions tell the agent to generate SVG, write files under /tmp, run Node commands and call rsvg-convert/convert. That's within the purpose, but the helper script uses child_process.execSync with interpolated file paths (execSync(`rsvg-convert "${svgPath}" -o "${output}"`)). Combined with the SKILL.md examples that use node -e inline, this creates a practical risk: unvalidated user/LLM-controlled strings could lead to shell/command injection or accidental execution. The SKILL.md also instructs the agent to send file paths (<qqimg>/tmp/image.png), which is platform-specific but not inherently malicious.
Install Mechanism
There is no install spec (instruction-only plus a small helper script). This minimizes supply-chain risk (no remote downloads), but the lack of declared runtime requirements (Node, rsvg-convert/ImageMagick) is an omission. The script writes files to disk and executes local conversion binaries when run.
Credentials
The skill does not request environment variables, credentials, or configuration paths. The script does not access network endpoints or secret-bearing env vars. There is no evidence of disproportionate credential/secret access.
Persistence & Privilege
always is false and the skill is user-invocable. It does not modify other skills or system-wide configs and does not request permanent presence or elevated privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install svg-artist - 安装完成后,直接呼叫该 Skill 的名称或使用
/svg-artist触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Generate images using text LLM to write SVG code. No image generation API needed. Perfect for cartoons, icons, and simple illustrations.
元数据
常见问题
SVG Artist 是什么?
Generate SVG images using text LLM instead of image generation APIs. Use when user wants to create illustrations, icons, cartoons, diagrams, or any visual co... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 478 次。
如何安装 SVG Artist?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install svg-artist」即可一键安装,无需额外配置。
SVG Artist 是免费的吗?
是的,SVG Artist 完全免费(开源免费),可自由下载、安装和使用。
SVG Artist 支持哪些平台?
SVG Artist 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SVG Artist?
由 juliantsaiii(@juliantsaiii)开发并维护,当前版本 v1.0.0。
推荐 Skills