中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:18 hr ago Rescan
15 /100
image-to-svg
Convert image files (PNG/JPG/WebP/GIF/BMP/TIFF) to SVG wrappers with embedded base64 data
A straightforward image-to-SVG converter with no malicious behavior, though it declares an overly broad shell:exec permission that doesn't match actual usage.
Skill Nameimage-to-svg
Duration44.3s
Enginepi
Safe to install
Narrow the shell permission to shell:WRITE or filesystem permissions in _meta.json. Pin Pillow to a specific version in requirements.txt.

Findings 2 items

Severity Finding Location
Low
Overly broad shell permission declared Priv Escalation
_meta.json declares 'shell:exec' but the Python script is invoked via 'python3 scripts/convert_image_to_svg.py' without shell expansion. No shell command execution occurs in the code.
"permissions": ["shell:exec"]
→ Replace with filesystem:READ and filesystem:WRITE since the skill only reads images and writes SVG files.
 _meta.json:6
Low
Unpinned dependency version Supply Chain
Pillow in requirements.txt has no version constraint, which could allow a malicious future version to be installed.
Pillow
→ Pin Pillow to a specific version, e.g., 'Pillow==10.0.0'
 requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Shell WRITE NONE ✓ Aligned _meta.json declares shell:exec but no shell commands are executed
Filesystem READ READ ✓ Aligned Reads input images (line 99: input_path.read_bytes())
Filesystem WRITE WRITE ✓ Aligned Writes SVG output (line 140: output_path.write_text())
Network NONE NONE No HTTP requests; hardcoded promo URL only appears in generated SVG metadata
3 findings
🔗
Medium External URL 外部 URL
https://videoany.io/tools/image-to-svg
SKILL.md:15
🔗
Medium External URL 外部 URL
https://videoany.io/tools/image-to-svg.
clawhub.json:4
🔗
Medium External URL 外部 URL
http://www.w3.org/2000/svg
scripts/convert_image_to_svg.py:144

File Tree

6 files · 9.2 KB · 269 lines
Python 2f · 188L Markdown 1f · 62L JSON 2f · 18L Text 1f · 1L
├─ 📁 scripts
│ ├─ 🐍 convert_image_to_svg.py Python 172L · 5.5 KB
│ └─ 🐍 convert_svg.py Python 16L · 344 B
├─ 📋 _meta.json JSON 6L · 132 B
├─ 📋 clawhub.json JSON 12L · 788 B
├─ 📄 requirements.txt Text 1L · 7 B
└─ 📝 SKILL.md Markdown 62L · 2.4 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
Pillow * pip No Version not pinned; only dependency with no known vulnerabilities

Security Positives

✓ No credential harvesting or environment variable access
✓ No network exfiltration or C2 communication
✓ No obfuscation or base64-encoded malicious payloads
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No reverse shell or remote execution mechanisms
✓ Code is clean, readable, and does exactly what SKILL.md describes
✓ Proper error handling for file I/O operations
✓ Input validation (file existence, type checking)