Md Of Programer
AdvisoryAudited by VirusTotal on Apr 15, 2026.
Overview
Type: OpenClaw Skill Name: md-of-programer Version: 0.1.0 The skill instructions in SKILL.md include automated global software installation ('npm install -g mddoc-cli') and direct shell command execution using the Bash tool. While these actions are aligned with the stated purpose of generating diagrams, the use of global installers and the potential for shell injection via unvalidated diagram names represent significant security risks (vulnerabilities) without being explicitly malicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing these tools can change the local development environment and depends on external package sources.
The skill documents global/package-manager installation of external tools. This is expected for diagram generation, but users should verify the packages and approve environment changes.
If `mddoc` is not installed: ```bash npm install -g mddoc-cli ``` If `d2` is not installed: - macOS: `brew install d2` - Windows: `winget install terrastruct.d2`
Only allow the install commands if you trust the package sources, or install mddoc and d2 yourself through your normal package-management process.
The skill may create or update .mddoc files and run local diagram-generation commands.
The skill needs file writing and Bash execution to create diagram files and run mddoc/d2. This is purpose-aligned, but it means the agent can make local file changes and execute local commands for this workflow.
allowed-tools: Write, Bash, Read
Use it in the intended project directory and review Markdown and .mddoc changes before committing or sharing them.