Diagram
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: diagram Version: 1.0.0 The skill bundle is designed for diagram generation, which is a benign purpose. However, the `SKILL.md` file includes a `bash` command example using `npx @mermaid-js/mermaid-cli mmdc` to render diagrams. While this command is legitimate for the skill's function, its presence in an AI agent's instructions introduces a potential shell injection vulnerability. If the agent constructs the input/output filenames or other parameters for this command based on unsanitized user input, it could lead to arbitrary command execution. This is classified as suspicious due to the inherent risk of shell command execution, even though there's no clear evidence of malicious intent within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user asks for an image render, the agent may suggest or use a command that downloads and runs an npm package to create the diagram image.
The skill documents an optional command that fetches and runs Mermaid CLI from npm without a pinned version. This is aligned with rendering diagrams, but users should notice and approve external package execution.
npx -y @mermaid-js/mermaid-cli mmdc -i diagram.mmd -o diagram.png -b transparent
Only run the rendering command in a trusted environment, and consider pinning the Mermaid CLI version if repeatability or supply-chain control matters.