Swimlane Arch
PassAudited by ClawScan on May 5, 2026.
Overview
This instruction-only diagram skill is broadly coherent and low risk, but users should notice that it can use a ProcessOn API key and upload generated diagrams to a cloud API if configured.
Safe to use for local Draw.io XML generation. If you have PROCESSON_API_KEY set, expect cloud upload behavior; avoid using that mode for sensitive business, system architecture, or government-process details unless the third-party service is approved for that data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is configured, the agent may use that ProcessOn-related account to create or upload diagram content.
The skill can use an API key from the environment to act against a third-party diagram service. This is aligned with the optional ProcessOn feature, but users should know that an account credential may be used.
如用户配置了 ProcessOn API Key(环境变量 `PROCESSON_API_KEY`),则优先调用 ProcessOn API
Only configure PROCESSON_API_KEY if you want cloud generation; otherwise leave it unset and use the default Draw.io XML output.
Private process or architecture information included in a diagram could be sent to the external ProcessOn/PingCode API when the API key is present.
The skill discloses an external cloud API upload path for generated diagrams. This is purpose-aligned, but diagram content may include business processes or architecture details.
调用 `POST https://open.pingcode.com/v1/graph` 上传并生成图片 ... 返回 ProcessOn 在线链接
For confidential diagrams, request local Draw.io XML output or ensure you are comfortable with the third-party service receiving the diagram content.