ClawHub

Render Academic Diagram Images from Code

Security checks across malware telemetry and agentic risk

Overview

This is a coherent diagram-rendering skill, but its installer and optional cloud path deserve manual review before installation.

Review install.sh before running it. Prefer manually installing Graphviz, D2, and Mermaid CLI from trusted package managers or pinned releases, keep confidential diagrams on the local path, use EMERGENCE_API_KEY only when remote rendering is intended, and periodically clear ./runs/ if diagrams or compiler errors may contain sensitive information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares powerful capabilities through its metadata and instructions (environment access, shelling out to local binaries, reading templates and run artifacts, writing persistent outputs, and cloud fallback) without an explicit permissions model or user-facing constraint boundary. This is dangerous because a caller may invoke what appears to be a simple diagramming skill while it can access secrets, persist artifacts, and make networked requests, increasing the chance of data exposure or unintended side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is local-first rendering of Mermaid, D2, and Graphviz, but the behavior includes authenticated HTTP calls to an external render API, loading API credentials from the environment, and installing unrelated tooling such as PlantUML/Java. This mismatch is dangerous because it conceals materially different trust and attack assumptions from users: prompts or diagram content may be sent off-host, secrets may be consumed, and extra software expands the attack surface beyond what the description suggests.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer explicitly states that Mermaid rendering will fall back to a Cloud API when Node/NPM is unavailable, which contradicts the skill's 'local-first' positioning and can silently send diagram contents to a remote service. In an autonomous-agent context, diagrams may embed sensitive prompts, topology, or operational metadata, so this expands the data exposure surface beyond what users may expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script downloads and executes a remote installer directly from the network using shell piping, giving the remote host immediate code execution on the local machine. Because this is an installation path for an agent skill, compromise of the upstream site, DNS/TLS trust chain, or installer content could lead to arbitrary command execution during setup.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly states that every rendering attempt is saved in ./runs/, including generated content and compiler errors, but provides no retention limits, sanitization guidance, or warning that sensitive prompts, diagrams, or environment details may be persisted. In an autonomous-agent context, this increases the chance of unintentionally storing secrets, proprietary data, or sensitive failure logs on disk where later agents or users may access them.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation triggers are generic phrases like 'draw,' 'map out,' 'visualize,' and 'show me,' which overlap with many ordinary user requests. Broad triggers are risky because they can cause the skill to auto-activate in contexts where the user did not intend file creation, shell execution, persistent storage, or cloud fallback, leading to unnecessary exposure of data and expanded execution surface.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises persistent run history and instructs the agent to inspect files in per-run directories, but it does not warn users that prompts, generated code, stderr, metadata, and rendered artifacts may be stored on disk. This is dangerous because sensitive architectural details, internal system descriptions, or embedded secrets could remain in persistent storage and be exposed to later processes, users, or logs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Using curl-pipe-sh without any user confirmation or warning removes an important safety boundary and makes execution of unaudited remote code automatic. In a skill installer, this is especially risky because users may assume setup actions are limited to declared local dependencies rather than arbitrary fetched shell logic.

External Script Fetching

High
Category
Supply Chain
Content
### 1. System Dependencies
- **Graphviz**: `brew install graphviz` (Mac) or `apt-get install -y graphviz` (Linux).
- **D2**: `curl -fsSL https://d2lang.com/install.sh | sh`
- **Mermaid CLI**: `npm install -g @mermaid-js/mermaid-cli`

### 2. Auto-Configuration
Confidence
97% confidence
Finding
curl -fsSL https://d2lang.com/install.sh | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal