Skillv1.0.1

ClawScan security

Mermaid Visualizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 11:55 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only Mermaid diagram generator whose declared purpose matches its instructions and it requests no credentials or installs — it appears internally coherent.
Guidance: This skill is instruction-only and appears coherent for turning text into Mermaid diagrams. Before installing: (1) Review the included SKILL.md/README (you already have them) and confirm you trust the GitHub repo owner if you plan to clone the project. (2) Install only via the plugin marketplace or by manually copying files into your own ~/.claude/skills directory — avoid running arbitrary install scripts. (3) The skill does not ask for credentials, but avoid pasting sensitive secrets into prompts (diagrams you generate may include any text you provide). (4) Note the project is marked 'experimental' and may not be actively maintained; test on non-critical inputs first and verify outputs render in your target platform (Obsidian/GitHub) before using in production.

Review Dimensions

Purpose & Capability: okName and description (Mermaid diagram generation) match the SKILL.md content and README. The skill declares no binaries, env vars, or credentials and the instructions only cover parsing text into Mermaid code and syntax rules — all appropriate for the stated purpose.
Instruction Scope: okSKILL.md is focused on analyzing user text, choosing diagram types, generating Mermaid code, and outputting Markdown fences. It does not instruct the agent to read unrelated system files, access credentials, or transmit data to external endpoints. The README does include optional manual install steps (git clone + cp into ~/.claude/skills) — normal for user-controlled installation but not part of the runtime instructions.
Install Mechanism: noteThere is no install spec in the registry metadata (instruction-only skill), which limits risk. The README mentions installing via a plugin marketplace or cloning from GitHub and copying into ~/.claude/skills; cloning a public GitHub repo is standard but requires trusting the repository owner. No opaque download URLs or archive extraction are used.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The README notes optional network behavior for Excalidraw fonts (not part of the Mermaid skill itself) which is explanatory rather than a runtime requirement for Mermaid diagram generation.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable. Manual install requires placing files under the user's Claude Code skills directory (~/.claude/skills), which is standard for user-installed skills and not a cross-skill privileged modification. Autonomous invocation by the model is the platform default and not unique to this skill.