ClawHub
Back to skill

Security audit

Flowchart Gen

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it advertises, but it needs Review because it automatically uses local API credentials and has an unsafe Windows command-execution pattern.

Install only if you are comfortable with this skill reading DeepSeek/OpenAI credentials from your environment or OpenClaw config and sending diagram prompts to the selected LLM provider. Prefer --no-llm or --raw for local-only use, avoid putting secrets or proprietary details in prompts, and be cautious on Windows until the Mermaid CLI calls avoid shell=True.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 执行命令
                # 执行命令
        if sys.platform == "win32":
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, shell=True)
        else:
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
Confidence
98% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, shell=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # 在Windows上使用shell=True可能更可靠
            if sys.platform == "win32":
                result = subprocess.run([cmd, "--version"], 
                                      capture_output=True, text=True, shell=True)
            else:
                result = subprocess.run([cmd, "--version"],
Confidence
95% confidence
Finding
result = subprocess.run([cmd, "--version"], capture_output=True, text=True, shell=True)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads API credentials from environment variables and external config files unrelated to the immediate rendering task, expanding its access to sensitive local secrets. This broad secret-access behavior becomes dangerous because the same script also performs external network calls, creating a pathway for unintended credential use and data exfiltration.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill executes external system commands via Mermaid CLI, including shell-based execution on Windows, which exceeds a purely local text-conversion operation and adds OS-command execution capability. In the context of an agent skill, this broadens the attack surface because untrusted inputs are processed and then passed into tooling invocations.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The FAQ instructs users to set `DEEPSEEK_API_KEY` directly in shell commands but does not mention safe secret-handling practices such as avoiding shared terminals, shell history leakage, screenshots, or committing credentials to files. This can lead to accidental exposure of an API key, especially in multi-user environments or when users copy commands into logs, support tickets, or persistent shell profiles.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The TODO documents behavior that automatically reads DeepSeek API credentials from a local config file and sends prompts to an external LLM service, but it does not mention user consent, data disclosure, or constraints on what content may be transmitted. In a skill that transforms user natural-language input, this creates a real privacy and secrets-handling risk because users may unknowingly send sensitive workflow descriptions or proprietary information to a third party.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Natural-language prompts are sent to external LLM APIs without a clear consent prompt or prominent warning that user content leaves the local system. This is dangerous because prompts may contain proprietary workflows, credentials, or internal architecture details that users assume are processed locally for diagram generation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal