ClawHub

Diagram Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent diagram-generation skill, but it asks the agent to install an additional unreviewed helper skill automatically and sends diagram content to AnyGen's servers.

Review before installing. Use a dedicated, revocable AnyGen API key, avoid sending confidential diagrams unless AnyGen is approved for that data, and manually approve or inspect any `anygen-workflow-generate` helper-skill installation instead of allowing an automatic `-y` install.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation description is extremely broad and says to use the skill any time a diagram or visual structure needs to be drawn, which can cause the agent to invoke a remote third-party service in many ambiguous cases without deliberate user confirmation. In this skill, that risk is amplified because the diagram content may be sent server-side to www.anygen.io, so over-triggering can lead to unintended data disclosure and unnecessary external API use.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill states that diagrams are generated server-side at www.anygen.io, but it does not clearly warn users before use that their diagram content may be transmitted to a remote service. Because this skill is intended for architecture diagrams, org charts, network topologies, and other potentially sensitive internal material, lack of upfront disclosure creates a meaningful confidentiality and consent risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal