Markdown Diagram Renderer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its stated diagram-rendering purpose, but it can modify Markdown files and may send diagram source to third-party renderers unless local tools are installed.
Before installing, decide whether your diagrams may contain sensitive internal details. Use local renderers to avoid online fallback, run the tool on backups or with `-o`, disable source preservation for sensitive files, and install dependencies in an isolated environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Diagram text, including internal architecture or other sensitive details, may leave the local machine.
The skill discloses that diagram source may be transmitted to third-party rendering services when local tools are absent.
If local rendering tools are not installed, the system will automatically use online APIs... Online rendering sends diagram source code to third-party services: Mermaid → `mermaid.ink`; PlantUML → `plantuml.com`
Install local renderers for sensitive documents, avoid processing sensitive diagrams through online fallback, or run with network access blocked if local-only behavior is required.
Sensitive diagram source may remain hidden in generated Markdown and could be exposed if the file is shared or published.
Original diagram source is retained in output Markdown comments by default, which can keep sensitive or untrusted text in the document after rendering.
Source Preservation: Optionally keep the original diagram code as comments. ... `preserve_source` | bool | True
Use `--no-preserve` or set `preserve_source` to false for sensitive diagrams, and review generated Markdown before sharing.
Running the skill without an output file can change the original Markdown document.
Replacing diagram blocks requires file mutation, and the documented default is to modify the input Markdown file when no output path is provided.
File Overwrite: Defaults to overwriting the original file; recommended to backup or use `-o` to specify an output file.
Use `-o` for a separate output file or keep the document under version control and review the diff after processing.
Local Mermaid or PlantUML renderer binaries will execute when rendering supported diagrams.
The skill invokes local renderer binaries as fixed-argument subprocesses, which is central to rendering diagrams but depends on trusted local tools.
subprocess.run(['mmdc', '-i', src_path, '-o', dst_path, '-b', 'white'], capture_output=True, timeout=30) ... subprocess.run(['java', '-jar', plantuml_jar, f'-t{output_format}', src_path], capture_output=True, timeout=30)Install renderer tools from trusted sources, keep them updated, and avoid running the skill with elevated privileges on untrusted documents.
Future installs may resolve to different dependency versions with different behavior or vulnerabilities.
Python dependencies are specified with lower-bound ranges rather than pinned versions, so installed package versions may vary over time.
mistletoe>=0.9.0 graphviz>=0.20.0
Install in a virtual environment and consider pinning or locking dependency versions for reproducible use.