ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

“Render Mermaid diagrams as beautiful SVG, PNG, or ASCII art. Supports 6 chart types (flowchart, sequence, state, class, ER, XY chart), 16 built-in themes, 5 style presets, CSS-level customization, interactive preview, and batch rendering. Works in terminal, chat, or web environments.” description_zh: “Mermaid 图表美化渲染工具,支持流程图/序列图/状态图/类图/ER图/XY图表6种类型,16主题5预设,可导出SVG/PNG/ASCII” description_en: “Beautiful Mermaid diagram renderer (SVG/PNG/ASCII, 16 themes, 5 presets, interactive preview)”

v1.0.0

Render Mermaid diagrams as beautiful SVG, PNG, or ASCII art. Supports 6 chart types (flowchart, sequence, state, class, ER, XY chart), 16 built-in themes, 5...

0· 107·0 current·0 all-time
bychouray@chouraycn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The claimed capability (Mermaid → SVG/PNG/ASCII, theming, batch rendering) aligns with the code files, package.json, and dependencies (beautiful-mermaid + sharp). No unrelated credentials or binaries are requested. Minor mismatch: top-level description mentions 16 themes while some docs refer to 15; otherwise capability and requirements are proportionate.
!
Instruction Scope
SKILL.md imposes a high-priority runtime rule that the AI must always open the bundled preview.html via preview_url (file://{__SKILL_DIR__}/assets/preview.html) before rendering, unless the user explicitly opts out. That is an unusual mandatory UI step for a renderer and grants the skill authority to insist on a workflow. README contradicts this by instructing use of system 'open' to view preview (SKILL.md forbids 'open'/'xdg-open' and running local HTTP servers). Also the preview file references external fonts (fonts.googleapis.com), and preview.html may contain JavaScript — the agent will load an HTML asset that can make network requests or execute scripts in the viewer. These behaviors expand the runtime surface beyond simple code-to-image rendering and should be inspected.
Install Mechanism
No install spec was declared for the skill platform, but a package.json and package-lock.json are present indicating an npm-based project. Dependencies include sharp (native image library) which can require native builds and extra platform tooling; installing could trigger native module compilation or platform-specific binary downloads. No remote arbitrary download URLs were used in the provided manifest. This is not high-risk but is operationally non-trivial.
Credentials
The skill does not request environment variables, credentials, or config paths. Dependencies and scripts operate on local files only (user-supplied .mmd files and local assets). No excessive secrets access is requested.
Persistence & Privilege
Flags: always:false and model invocation is allowed (default). The skill does not request persistent or cross-skill privileges and does not declare modifications to other skills or global agent config. Autonomous invocation combined with the forced-preview instruction increases blast radius but is not by itself a red flag.
Scan Findings in Context
[base64-block] unexpected: The SKILL.md contained a 'base64-block' pattern flagged by the pre-scan. Base64 blocks embedded in runtime instruction files can be used for hidden payloads or prompt-injection. This is not expected for a rendering/instruction document and should be manually inspected to see what the base64 encodes and why it's present.
What to consider before installing
What to check before installing/using this skill: 1) Review SKILL.md and assets/preview.html for embedded/obfuscated content (the pre-scan flagged a base64 block). Decode any base64 blocks and confirm they are harmless (e.g., static assets), not instructions or hidden payloads. 2) Inspect assets/preview.html and any bundled JS for network calls and external endpoints. Preview.html already links fonts.googleapis.com; ensure there are no unexpected analytics or remote POSTs that could leak data when the preview is opened. 3) Note the mandatory preview rule in SKILL.md: the agent is instructed to always open the local preview via preview_url before rendering unless the user explicitly says to skip. Decide whether you are comfortable with that enforced workflow (it causes the agent to load and execute an HTML asset in the viewer). Also reconcile the README vs SKILL.md contradiction (README suggests using system 'open' which SKILL.md forbids). 4) If you plan to run npm install: be aware 'sharp' may need native build tools or platform-specific binaries. Run installation in an isolated/sandbox environment if you are unsure. 5) Inspect scripts (render.js, rich-html.js, styles.js) for any use of child_process/execSync or network libraries. If execSync is used anywhere to run shell commands, review the exact commands to ensure they are safe and cannot be fed untrusted input. 6) If you will allow autonomous agent invocation, consider temporarily disabling autonomy for this skill until you verify the code. The skill's mandatory preview and HTML loading increase the risk surface if the skill is invoked without oversight. If you want, I can (a) decode any base64 block you paste here, (b) search the provided files for child_process or network calls and summarize exact lines to inspect, or (c) produce a short checklist and commands to inspect the package locally in a sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e1wj1wnpe63t2wdbevnwa5x83sgpwskillvk97e1wj1wnpe63t2wdbevnwa5x83sgpw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments