Excalidraw Diagram Generator
PassAudited by ClawScan on May 1, 2026.
Overview
This diagram renderer appears purpose-aligned, with no evidence of malicious behavior, but it does rely on local Node execution and setup-time downloads that users should trust before using.
This appears safe for its stated purpose if you are comfortable running a local Node-based renderer. Before using it, review the setup script, be aware that setup downloads dependencies and fonts, and keep generated input/output files in temporary or workspace paths.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user runs setup, their environment will fetch packages and fonts from external package/CDN/GitHub sources.
The setup helper installs npm dependencies and downloads font assets from external sources. This supports the renderer’s purpose, but the font downloads are not accompanied by visible checksum verification.
npm install ... curl -sL "https://cdn.jsdelivr.net/npm/@excalidraw/excalidraw@0.17.6/dist/excalidraw-assets/Virgil.woff2"
Review setup.sh before running it, use trusted network/package sources, and prefer the included package-lock.json when installing dependencies.
Using the skill runs local JavaScript code and writes an output image file.
The skill instructs the agent to run a local Node.js renderer. This is expected for converting JSON diagrams into PNG images, but it means the skill is not purely declarative.
node <skill_dir>/scripts/render.js /tmp/<name>.excalidraw /tmp/<name>.png
Keep input and output paths scoped to temporary or workspace locations, and only use the renderer from a skill source you trust.