Excalidraw Diagram Generator
v1.0.0Generate hand-drawn style diagrams, flowcharts, and architecture diagrams as PNG images from Excalidraw JSON
⭐ 11· 5.8k·38 current·42 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code, package.json, and dependencies (@resvg/resvg-js, jsdom, roughjs) match the stated purpose (render Excalidraw JSON to PNG). However the registry metadata claims 'instruction-only / no install spec' and lists no required binaries, while the runtime instructions and included scripts clearly expect Node/npm and include a setup.sh — this mismatch is an incoherence (runtime requires node/npm but these are not declared).
Instruction Scope
SKILL.md directs the agent to write JSON to /tmp and run the provided node renderer; that stays within the stated purpose. The SKILL.md does not instruct running the included setup.sh (which installs dependencies and downloads fonts), so the runtime instructions omit necessary setup steps — another inconsistency. The renderer reads input files you pass and local font files; it does not attempt network calls during render.js execution.
Install Mechanism
There is no formal install spec in registry metadata, but a shipped setup.sh performs 'npm install' and downloads fonts from jsdelivr and GitHub releases. The network sources are standard public CDNs/GitHub (not a mysterious personal server), and npm packages are common rendering libs. Still, a missing install spec plus a script that downloads and extracts archives is an install-surface risk worth noting.
Credentials
The skill does not request any environment variables, credentials, or special config paths. The renderer reads files supplied as input and fonts from its own fonts directory — proportional to its purpose. There are no declared or used credentials.
Persistence & Privilege
The skill does not request always:true, does not alter other skills, and only modifies files within its own directory (setup.sh creates fonts dir and makes render.js executable). It does not request elevated or persistent system-wide privileges.
What to consider before installing
What to check before installing/using this skill:
- This package requires Node.js and npm to run but the registry metadata does not declare any required binaries — ensure Node (recommended >=18) is available.
- The repository includes a setup.sh that runs 'npm install' and downloads fonts from jsdelivr/GitHub. Review the setup.sh and run it in an isolated environment (or inspect/modify it) before executing.
- The npm dependencies are standard rendering libraries, but you should still audit package.json/package-lock.json and consider installing in a sandbox or VM if you have security concerns.
- The renderer reads any file path you pass; avoid rendering sensitive files and only feed it explicit Excalidraw JSON files (SKILL.md suggests /tmp/<name>.excalidraw).
- If you want to use this skill in production, update the metadata to declare required binaries and an install step, or run setup manually and verify fonts and npm artifacts are from expected upstreams.
- Confidence is medium: the package is coherent functionally, but the metadata omissions and an install script that fetches external assets create avoidable risk and merit manual review before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97at86whyxewtjazx9evyf4qn809a5s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.