Erdmannsilva Excalidraw
PassAudited by ClawScan on May 12, 2026.
Overview
This appears to be a normal local Excalidraw-to-PNG renderer, with setup and provenance caveats rather than clear malicious behavior.
This skill looks benign for generating diagrams. Before installing, be aware that using it involves running a local Node script and setup may download npm dependencies and fonts. For sensitive diagrams, remember that the workflow writes JSON and PNG files under /tmp and does not document cleanup.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the skill runs its renderer locally and writes a generated PNG file.
The skill explicitly instructs the agent to run a local Node script to render the diagram. This is expected for the stated purpose and scoped to temporary files, but users should recognize that installing the skill allows local script execution.
Render — `node <skill_dir>/scripts/render.js /tmp/<name>.excalidraw /tmp/<name>.png`
Use it only from a source you trust, and avoid rendering highly sensitive diagrams unless you are comfortable with temporary local files.
Running setup will contact npm/CDN/GitHub-hosted sources and place dependencies or fonts in the skill directory.
The setup script installs npm packages and downloads font assets from external locations. This is normal for a renderer needing dependencies and fonts, but it is a supply-chain surface and is not represented by an install spec.
npm install curl -sL "https://cdn.jsdelivr.net/npm/@excalidraw/excalidraw@0.17.6/dist/excalidraw-assets/Virgil.woff2"
Run setup in a trusted environment, prefer reproducible installs using the included lockfile, and verify external assets if you need high assurance.
It may be harder to confirm exactly who packaged or republished the skill.
The packaged metadata does not match the registry metadata supplied for this review, which lists a different owner ID and slug. This is a provenance inconsistency, not evidence of malicious behavior.
"ownerId": "kn78dsm1n497jqdaqejesm3g1s80806p", "slug": "excalidraw"
If publisher identity matters, verify the skill source or publisher before installing.