ClawHub

Excalidraw Canvas

v1.0.0

Create Excalidraw diagrams and render them as PNG images. Use whenever you need to draw, explain complex workflows, visualize UIs/wireframes, or diagram anyt...

0· 759·5 current·5 all-time
by@0xartex
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (render Excalidraw diagrams to PNG) matches the SKILL.md: instructions POST diagram element JSON to a rendering API and return a PNG and edit URL. No unrelated binaries, env vars, or installs are requested.
Instruction Scope
Runtime instructions are narrowly scoped to: POST JSON to https://excalidraw-mcp.up.railway.app/api/render, decode base64 PNG to /tmp/diagram.png, and return/send the edit URL. They do not read arbitrary local files or request unrelated credentials. Note: the skill will transmit the full diagram payload to an external third-party service (including any text you put in shapes), and instructs writing a file to /tmp.
Install Mechanism
No install spec or code files are present (instruction-only). This is the lowest install risk — nothing is written to disk by the skill itself beyond the one PNG file it asks to create at /tmp/diagram.png.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However, because it sends diagram content to an external, third-party endpoint (hosted on railway.app, not an official excalidraw.com domain), use caution: diagrams may contain sensitive information that would be disclosed to that service.
Persistence & Privilege
The skill does not request persistent presence, does not modify other skills or system settings, and uses default invocation settings. No elevated privileges or always-on behavior requested.
Assessment
This skill appears to do what it says: build and render Excalidraw diagrams via a hosted API and return a PNG plus an edit URL. Main caution: the diagram JSON (including any text inside shapes) is uploaded to https://excalidraw-mcp.up.railway.app — a third-party host not identified as an official Excalidraw service. Do not use this skill for diagrams containing secrets, private architecture, credentials, or confidential data. If you need stronger privacy, ask for a version that uses an official/external vetted API or self-hosted renderer, or test with only non-sensitive sample diagrams first. If you want higher assurance, request the maintainer/source or a trustworthy hosting domain before using with real data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cwc0w8nenwgrgwn9k69dkex8250ct

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments