ClawHub

D2 Diagram Creator

Security checks across malware telemetry and agentic risk

Overview

This D2 diagram skill needs review because it runs local export commands and includes a mandatory step that removes a licensing watermark from generated SVG files.

Review before installing. Use the skill only if you are comfortable with it running local d2 and Python commands, and avoid the Tala SVG export path unless you have confirmed that removing the watermark is allowed for your license. Prefer trusted package-manager installs over curl-to-shell, keep generated files in a dedicated workspace, and do not use the online D2 playground for confidential diagrams.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Directing the validator to use a watermark removal script is highly suspicious because watermark stripping is unrelated to normal D2 diagram generation and may facilitate license evasion or deceptive output modification. Embedding this as part of the default pipeline normalizes unauthorized alteration of generated artifacts on disk.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
Telling the validator to 'fix any issues' grants broad discretion to modify files beyond validation, which weakens boundaries between checking output and rewriting content. In a multi-agent pipeline, vague repair authority can lead to unintended or overbroad edits, especially when paired with file write access.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The validator is instructed to execute shell commands and a Python script based on file paths and export preferences, which expands its behavior beyond pure validation into general command execution and post-processing. In an agent setting, this increases the attack surface for unsafe subprocess use, path manipulation, and execution of unintended local tooling, especially because the commands are built from runtime inputs and the watermark-removal step is mandatory.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is explicitly designed to remove the string 'UNLICENSED COPY' from SVG files, which strongly indicates tampering with licensing or attribution markings rather than supporting legitimate D2 diagram generation. Because this capability is unrelated to the declared skill purpose, it introduces functionality that can facilitate license circumvention and deceptive redistribution of generated assets.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A dedicated watermark-removal utility is unjustified in a diagram-creation skill and is inherently suspicious because it enables users to strip licensing indicators from output files. In context, this is more dangerous because the manifest describes benign diagram generation, making the hidden addition of a watermark-removal feature a strong signal of intentional misuse rather than accidental overreach.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to install dependencies by piping a remotely fetched script directly into the shell. This bypasses any review of the downloaded code and creates a supply-chain execution risk if the remote host, network path, or script contents are compromised. In the context of a developer skill README, this is more dangerous because users are likely to copy-paste setup commands verbatim.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill hard-requires `short_english_id` values, which can force translation or normalization of user-provided names into English even when the user did not request that transformation. In a diagram-generation workflow, this can corrupt semantics, mislabel culturally specific terms, and create silent data integrity issues when identifiers are later used for references, especially for multilingual inputs.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The explicit instruction that entity IDs must be 'in English' and preserve only English-friendly characters imposes a language restriction that can overwrite or distort user intent for non-English diagrams. Because IDs are also used in connections and container paths, this requirement can propagate mistranslations or mismatches throughout the generated structure, making the resulting artifact unreliable for international users.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly instructs the agent to write generated content to a specified output file, but it provides no constraints, user-consent requirement, or path validation. In an agent environment, this can enable unintended file modification or overwrite if the output path is attacker-controlled or ambiguously sourced from prior agent output.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instruction to 'fix them directly in the file' authorizes in-place modification of the user-provided `.d2` file without warning, confirmation, or backup. This can destroy original user data, make forensic review difficult, and enable unintended alteration of inputs in workflows that expect validation to be read-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to run `d2 validate` and export commands without any explicit disclosure or approval for subprocess execution. In a security-sensitive environment, hidden command execution is dangerous because it can invoke local binaries on attacker-influenced inputs, interact with the filesystem, and produce side effects the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The mandatory instruction to run `python <skill-base-path>/scripts/remove_watermark.py output.svg` introduces an additional file-modifying execution step that is not disclosed to the user and is unrelated to core syntax validation. Any automatic script execution against generated files increases supply-chain and integrity risks, especially if the script path, repository contents, or output file location can be influenced or replaced.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The help text states that `d2 play file.d2` opens the file in an online web viewer, which implies diagram contents may be transmitted to a third-party service. In a skill that helps users generate architecture, topology, and database relationship diagrams, those files may contain sensitive internal system details, so omitting a privacy warning can lead to unintentional data disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal