Diagrams

Type: OpenClaw Skill Name: diagrams Version: 1.0.0 The `scripts/render-elk.mjs` file contains a shell injection vulnerability. When the `--png` flag is used, the script executes `child_process.execSync` to convert SVG to PNG using the `sips` command. The file paths passed to `sips` are derived from user-controlled input (input JSON file names and directories). Although these paths are enclosed in double quotes, this is insufficient to prevent shell injection if a malicious filename or directory name (e.g., `"; rm -rf /tmp; echo "`) is provided, potentially leading to Remote Code Execution.