Visual Explainer Main
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent visual-HTML generation skill, with noteworthy but disclosed behavior: it may read project files and agent notes, edit a target document during fact-checking, open generated HTML locally, and optionally use external CDN or Gemini-based tools.
Install only if you are comfortable with a diagram/review skill reading your current project context, creating HTML files under ~/.agent/diagrams/, opening them in a browser, and editing a chosen document when using /fact-check. Review outputs before sharing, and avoid optional surf/Gemini or CDN-backed diagrams for highly sensitive material.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 63
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on the wrong file or if the agent makes an incorrect correction, the original document could be changed.
The fact-check prompt can directly edit the target document. This is disclosed and aligned with the fact-checking feature, but it is still mutation authority over user files.
correct inaccuracies in place ... Write corrections to the original file.
Use the fact-check prompt only on intended files and review the resulting diff or file contents after it runs.
Opening a generated diagram can execute third-party library code in the browser, which may matter for sensitive project diagrams.
Generated pages may load external JavaScript from a CDN for Mermaid diagrams. This is purpose-aligned and documented, but it means some outputs are not purely offline/self-contained and inherit CDN supply-chain risk.
import mermaid from 'https://cdn.jsdelivr.net/npm/mermaid@11/dist/mermaid.esm.min.mjs';
For sensitive or offline use, prefer locally vendored libraries, exact pinned versions, and integrity checks where possible.
Private project notes or stale/incorrect memory entries may be reflected in generated recap pages.
The recap workflow can read persistent agent memory and project notes, then reuse that context in generated output. This is relevant to privacy and to the trustworthiness of reused notes.
Read progress docs if they exist (`~/.agent/memory/{project}/progress.md`, `~/.pi/agent/memory/{project}/progress.md`, `.pi/todos/`, or similar).Review generated pages before sharing them, and keep project memory/progress files free of secrets or untrusted instructions.
Illustration prompts derived from the user’s topic or project may be sent to the configured Gemini/surf provider.
The skill may optionally call an external AI/image provider through surf-cli when available. This is disclosed and optional, but it creates an external provider data flow.
If `surf` CLI is available (`which surf`), consider generating an AI illustration via `surf gemini --generate-image`
Disable or avoid surf-cli for projects where even high-level descriptions should not be sent to an external provider.