Draw.io Diagram Generator And Exporter
v3.1.0**Use this skill** when the user wants to create any diagram: flowchart, architecture, UML (sequence/class), ER, mindmap, network topology, or any visual dia...
⭐ 1· 140·0 current·0 all-time
byBruce Van@bruc3van
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill's stated purpose (generate draw.io diagrams) matches its instructions (generate drawio XML, save .drawio, call draw.io desktop CLI to export). Minor inconsistencies: the packaged metadata declares no required binaries/env but the runtime instructions expect a local draw.io CLI to be present (the skill should have declared this binary as a dependency). README also suggests cloning a GitHub repo for installation even though this package is instruction-only; this is a documentation mismatch but not evidence of malicious intent.
Instruction Scope
SKILL.md's runtime steps are narrowly scoped to: parse user intent, generate drawio XML, self-review, write a .drawio file to the user's working directory, and call the local draw.io CLI for export. The instructions do not request unrelated files, credentials, or external endpoints, and the 'self-review' step only refers to re-reading generated XML and local reference docs included in the package.
Install Mechanism
No install spec is present (instruction-only), which is low-risk. The README documents normal platform package managers (brew/winget/snap) for installing draw.io itself — those are legitimate, well-known sources. There are no arbitrary download URLs or extract steps in the package.
Credentials
The skill does not request environment variables, credentials, or config paths. Its runtime behavior (writing a file to the working directory and invoking a local CLI) is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request always: true and does not claim persistent/system-wide changes. It will write .drawio files to the user's working directory and invoke a local binary to export images — expected for a diagram-export skill. There is no evidence it modifies other skills or global agent configuration.
Assessment
This skill appears to do what it says: generate draw.io XML, save a .drawio file locally, and call your local draw.io (diagrams.net) desktop CLI to export PNG/SVG/PDF. Before installing: 1) Verify you are comfortable allowing the agent to write files to your working directory and to run a local binary (draw.io); the skill will check for and invoke that binary. 2) Confirm draw.io is installed from a trusted source (brew/winget/snap or the official GitHub releases) so the invoked CLI is trustworthy. 3) Note small doc mismatches (skill.json version vs registry metadata and README's suggestion to clone a GitHub repo) — consider inspecting the repository/source the agent would clone before allowing installation. 4) If you do not want an agent to execute local commands or write files, do not enable this skill. Overall the package is internally coherent and does not request secrets or external endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk97a84jea1amsqtvqe05336x2s84hek5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.