ClawHub
Back to skill
v1.0.0

excalidraw

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:01 AM.

Analysis

This appears to be a normal local Excalidraw diagram generator; the main things to notice are that it runs an included Python script and creates local files.

GuidanceThis looks reasonable for generating Excalidraw files locally. Before installing, be comfortable with the included Python script running in your workspace, note that Python is required even though metadata does not declare it, and remember that any sensitive details you include in a diagram will be saved into the generated .excalidraw file.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
After writing `diagram_input.json`, run the build script: `python <skill_dir>/scripts/build_excalidraw.py --input diagram_input.json --output <title>.excalidraw`

The skill explicitly relies on running an included local Python script and writing output files. This is purpose-aligned for diagram generation, but users should be aware that installing/using it grants local script execution for this workflow.

User impactWhen asked to create a diagram, the agent may run the bundled Python converter and create files in the working directory.
RecommendationUse it when you are comfortable with local Python execution and check the generated filename/path before relying on the output.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none; Required binaries (all must exist): none

The registry metadata gives limited provenance and does not declare a required Python binary even though the workflow depends on Python. This is a setup/provenance gap, not evidence of hidden or malicious behavior.

User impactUsers have less upstream context for the bundled script and may only discover the Python dependency at use time.
RecommendationReview the bundled script if provenance matters to you, and make sure Python is available before using the skill.