ClawHub

Draw.io Diagram Generator And Exporter

Security checks across malware telemetry and agentic risk

Overview

This skill appears to create and export draw.io diagrams, with the main caveat that broad trigger words could cause unexpected local diagram files or exports.

Install this only if you want your agent to create local diagram files and use the draw.io CLI to render them. Ask the agent to confirm output filenames and export format before running, especially for vague requests like visualize this. Do not provide financial credentials or purchase authority despite the unrelated capability tags in metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger set includes very broad everyday terms such as "draw," "diagram," and "visualize," which can cause the skill to activate for loosely related requests. Unintended invocation matters here because the workflow proceeds to generate files and potentially run a local CLI exporter, expanding the chance of side effects from ambiguous user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs saving a .drawio file to the user's working directory and then exporting additional output files, but it does not require clear user consent or a warning about filesystem modifications. In context, this is more dangerous because the skill may also invoke a desktop CLI binary, so accidental activation can lead to unexpected file creation and local command execution.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description includes many broad, generic trigger phrases such as 'draw', 'diagram', 'architecture', and 'visualize', which can cause the skill to activate for loosely related user requests. In an agent environment, unintended invocation can route tasks to this skill when the user did not explicitly want draw.io generation, leading to incorrect tool selection, unnecessary file generation, or unintended downstream CLI export behavior.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal