Back to skill
Skillv3.0.0
ClawScan security
Diagram Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 30, 2026, 10:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements (AnyGen CLI + ANYGEN_API_KEY) and runtime instructions align with its stated purpose of generating diagrams; nothing requested appears unrelated or excessive.
- Guidance
- This skill appears coherent: it uses the AnyGen CLI and an API key to generate diagrams server-side. Before installing, verify you trust the AnyGen service and the @anygen/cli npm package (check publisher, reviews, and release source). Treat the ANYGEN_API_KEY like any secret: avoid sending sensitive diagrams/data to the service, rotate the key if exposed, and consider creating a scoped key if AnyGen supports it. Note the skill may prompt a browser-based OAuth flow during auth and may install an additional AnyGen workflow skill at run-time as needed.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (anygen), and required env var (ANYGEN_API_KEY) all directly match the stated purpose of using the AnyGen service to generate diagrams.
- Instruction Scope
- noteSKILL.md instructs the agent to authenticate (anygen auth login / API key) and to invoke the AnyGen CLI and an AnyGen workflow skill. These instructions stay within diagram-generation scope. Minor note: it references another skill ('anygen-workflow-generate') and suggests installing it via the AnyGen CLI; that external dependency is not declared in the metadata but is reasonable for operation.
- Install Mechanism
- noteInstall spec uses a Node/npm package (@anygen/cli) to provide the anygen binary, which is a standard approach. This is moderate-risk compared with instruction-only skills because it installs third-party code from a package registry; it's proportionate to the CLI requirement but users should trust the package and vendor.
- Credentials
- okOnly one credential (ANYGEN_API_KEY) is required and declared as the primary credential; that matches the described remote service usage and is proportionate.
- Persistence & Privilege
- okSkill is not forced-always and does not request broad system or cross-skill config access. It does not claim to modify other skills' configs or system-wide settings.