Erdmannsilva Excalidraw
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: erdmannsilva-excalidraw Version: 1.0.0 The skill bundle provides a legitimate utility for rendering Excalidraw JSON diagrams into PNG images using Node.js, roughjs, and resvg-js. The setup script (scripts/setup.sh) downloads fonts from trusted sources (jsDelivr and Microsoft's GitHub) and uses standard tools for font conversion. The rendering logic (scripts/render.js) is self-contained, performs no unauthorized network activity, and handles file operations safely within the context of its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the skill runs its renderer locally and writes a generated PNG file.
The skill explicitly instructs the agent to run a local Node script to render the diagram. This is expected for the stated purpose and scoped to temporary files, but users should recognize that installing the skill allows local script execution.
Render — `node <skill_dir>/scripts/render.js /tmp/<name>.excalidraw /tmp/<name>.png`
Use it only from a source you trust, and avoid rendering highly sensitive diagrams unless you are comfortable with temporary local files.
Running setup will contact npm/CDN/GitHub-hosted sources and place dependencies or fonts in the skill directory.
The setup script installs npm packages and downloads font assets from external locations. This is normal for a renderer needing dependencies and fonts, but it is a supply-chain surface and is not represented by an install spec.
npm install curl -sL "https://cdn.jsdelivr.net/npm/@excalidraw/excalidraw@0.17.6/dist/excalidraw-assets/Virgil.woff2"
Run setup in a trusted environment, prefer reproducible installs using the included lockfile, and verify external assets if you need high assurance.
It may be harder to confirm exactly who packaged or republished the skill.
The packaged metadata does not match the registry metadata supplied for this review, which lists a different owner ID and slug. This is a provenance inconsistency, not evidence of malicious behavior.
"ownerId": "kn78dsm1n497jqdaqejesm3g1s80806p", "slug": "excalidraw"
If publisher identity matters, verify the skill source or publisher before installing.