XMind Generator
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says: convert provided text or Markdown into an XMind file, with expected local file access and an npm dependency.
This looks safe for normal mind-map generation. Before installing, be aware that it uses npm dependencies and local file paths; keep outputs in the workspace and do not pass sensitive files unless you intend their contents to appear in the generated mind map.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The contents of the chosen input become part of the generated mind map, and the output file is written wherever the command is pointed.
The script accepts local input and output paths, reads the selected input, and saves a generated XMind file. This is expected for the skill, but users should be aware of the file paths used.
const inputFile = getArg('--input'); const outputArg = getArg('--output') || 'output.xmind'; ... rawText = fs.readFileSync(inputFile, 'utf-8'); ... zipper.save()Use explicit workspace paths for outputs and only provide input files whose contents you intend to convert.
Installing the skill dependencies adds npm package code to the environment.
The skill requires installing an external npm dependency. This is disclosed and aligned with generating .xmind files, and a package-lock is present, but it still introduces third-party package code.
Requires Node.js and the `xmind` npm package. ... npm install
Install from the skill directory using the included lockfile and avoid unreviewed dependency updates.