📦 SVG Article Illustrator — SVG 文章插画
v1.0.5SVG文章插画工具,生成矢量格式的文章插图,支持无损缩放和编辑。
0· 116·1 当前·1 累计
by 下载技能包
最后更新
2026/3/24
安全扫描
OpenClaw
可疑
medium confidenceThe skill's described purpose (generate SVG/PNG article illustrations) matches most of its contents, but prompt-injection-like unicode control characters and included scripts that were not fully inspected (archive.sh, svg2png.js) mean you should review those files and the archiving behavior before installing.
评估建议
What to check before installing or using this skill:
1) Inspect the two included scripts (scripts/svg2png.js and scripts/archive.sh) for any network calls, remote downloads, or unexpected file operations. Ensure svg2png.js only invokes Puppeteer locally and does not fetch remote code or exfiltrate files.
2) Review SKILL.md for any hidden/Unicode-control characters (the scanner flagged them). Hidden characters can manipulate parsing or evaluation — remove them or ask the author for a clean copy....详细分析 ▾
✓ 用途与能力
Name/description, embedded SVG workflow, and included assets (templates, many example SVGs) align with an article-illustration generator. The optional png-export mode correctly documents Node/puppeteer as a dependency (in references). No unrelated credentials or binaries are requested.
ℹ 指令范围
SKILL.md instructs the agent to read the source Markdown, embed SVG code directly into the Markdown (default), save external SVG/PNG files for png-export, and archive extracted SVGs into .claude/skills/svg-article-illustrator/archive/.... Writing files to the local workspace and extracting article content for archival is coherent for this skill but has privacy implications; the doc also specifies spawning multiple Task Agents for parallel generation when ≥8 images, which increases activity surface and should be acceptable but monitored.
✓ 安装机制
There is no install spec (instruction-only), which is low-risk. Two script files are included (scripts/archive.sh and scripts/svg2png.js) that will be used at runtime; because no install downloads arbitrary code at install time, install risk is low — but the scripts themselves need inspection (they may run Node/puppeteer).
✓ 凭证需求
The skill does not request environment variables, credentials, or config paths. The documented optional dependency on Node/puppeteer for PNG export is proportional to that feature and is only required for png-export.
ℹ 持久化与权限
always:false and user-invocable:true (normal). The skill writes an archive directory into .claude/skills/... each run; that persistent storage is within scope for an archiving feature but could store sensitive article content over time. The skill's ability to spawn multiple Task Agents (documented) increases blast radius if the skill were malicious, but autonomous invocation remains disabled only if platform enforces it — not an immediate red flag alone.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.52026/3/24
AI驱动的SVG文章配图生成工具
● 无害
安装命令
点击复制官方npx clawhub@latest install svg-article-illustrator
镜像加速npx clawhub@latest install svg-article-illustrator --registry https://cn.longxiaskill.com