Excalidraw Diagrams

The skill's files and runtime instructions are consistent with an Excalidraw→PNG renderer; nothing in the bundle looks like intentional misdirection or exfiltration, though there are a few operational notes to check before running installers/scripts.

This skill appears to be what it claims: a local Excalidraw→PNG renderer. Before installing/running: (1) If you will run scripts/setup.sh, review it and run it in a controlled environment — it runs npm install and downloads fonts from jsdelivr/github. (2) Verify package-lock.json and the listed npm packages if you require supply-chain assurance. (3) The renderer reads whatever file path you pass it — only provide it the intended /tmp/.excalidraw files and avoid pointing it at sensitive system files. (4) SKILL.md mentions uploading to Google Docs and sending via messaging tools — confirm your agent/platform provides and authorizes those integrations (the skill itself doesn’t request Google credentials). If you plan to use this skill in production, run the setup and first renders in a sandbox or VM and inspect the fonts and node modules installed.