Diagram Generator
v1.0.2Generates and iteratively edits Mermaid.js and Draw.io diagrams. Supports multimodal context (reading source code, architecture sketches, and documentation).
⭐ 1· 88·0 current·0 all-time
by@kaudata
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md, and the included Node.js server code all focus on generating Mermaid and Draw.io diagrams via the Gemini API and saving results locally. Requesting GEMINI_API_KEY and node is appropriate. Requiring curl and base64 as binaries is plausible for agent-driven file checks and encoding, but the shipped web client uses FileReader and the server does not call curl/base64 — so those binary requirements are advisory and slightly redundant.
Instruction Scope
SKILL.md explicitly restricts what files the agent may read (allowlist/blocklist) and describes converting images to base64 and POSTing payloads to http://localhost:3000/api/generate. That scope aligns with the server and frontend logic. However, the allowlist/blocklist are agent-side policies (instructions) rather than technical enforcement on the server: the server accepts arbitrary posted content. The security restrictions therefore rely on the agent following policy; they are not enforced end-to-end.
Install Mechanism
No install spec is provided (instruction-only), which is low risk. The bundle does include Node.js app source and package.json; installing/running it requires npm install and npm start (documented). There are no downloads from untrusted URLs in an install step.
Credentials
The only required environment variable is GEMINI_API_KEY (declared as primary), which is justified by use of @google/genai to call Gemini models. No unrelated credentials or broad filesystem config paths are requested.
Persistence & Privilege
The skill does not request always: true and does not modify other skills. It runs a local server and writes files into a downloads/ directory under the skill; that is normal for this kind of tool and scoped to the skill's own directory.
Assessment
This skill appears to do what it says: run a local Node server that calls the Gemini API to produce Mermaid/draw.io diagrams. Before installing or running it locally:
- Review the server.js and public files yourself (they are included) — the server will accept and forward any files you POST to the Gemini API. The SKILL.md's allowlist/blocklist are guidance for an agent, not enforced server-side, so avoid posting secrets or config files.
- Provide GEMINI_API_KEY with least privilege and consider using an API key that has usage limits.
- Run the server in an isolated environment (local dev VM or container) rather than on a production host, and inspect npm dependencies (package-lock.json is included).
- Be aware the frontend and app import third-party libraries (mermaid/mammoth) from CDNs — if you need an offline/air-gapped environment, adjust these to local copies.
- The binary requirements (curl, base64) are likely only needed if an agent running on your host uses shell commands; they are not used by the shipped server in normal browser usage. If you do let an agent run locally, ensure it follows the SKILL.md file-access policy or restrict the agent’s filesystem access.
If you want stronger guarantees, request that the skill enforce allowed file types server-side (reject uploads of env or private config files) and/or run the server inside a sandbox before giving it access to any sensitive repository or credentials.Like a lobster shell, security has layers — review code before you run it.
diagramsvk970rfqs50ybswpgegzp2d4ecx83zpd1drawiovk970rfqs50ybswpgegzp2d4ecx83zpd1geminivk970rfqs50ybswpgegzp2d4ecx83zpd1latestvk970rfqs50ybswpgegzp2d4ecx83zpd1mermaidvk970rfqs50ybswpgegzp2d4ecx83zpd1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, curl, base64
EnvGEMINI_API_KEY
Primary envGEMINI_API_KEY