ClawHub

Beauty Diagram

Security checks across malware telemetry and agentic risk

Overview

This is a coherent diagram-rendering skill that uses a disclosed external CLI/API and may create files or share links only as part of its stated diagram workflows.

Install this if you are comfortable running an npm CLI that sends diagram source or prompts to Beauty Diagram. Use local SVG/PNG exports for sensitive material, and be deliberate with `bd share`, `bd embed-url --share`, or README edits because they can create externally hosted diagram URLs and change repository files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly encourages generating third-party-hosted embed URLs and injecting them into user-controlled documents like READMEs without warning that this publishes diagram content to an external service. In an agent context, this can cause unreviewed file modification and unintended external disclosure of potentially sensitive architecture or workflow information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages creation of public share links and embed URLs, but it does not consistently require an explicit warning that this action publishes diagram contents to a publicly accessible endpoint. Users could unintentionally expose internal architecture, credentials shown in diagrams, or other sensitive documentation.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The workflow instructs the agent to write files, inject image references, and modify repository documentation without placing a nearby warning about file modification side effects. This can lead to unintended changes to user files or documentation, especially in automated or batch contexts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal