Skillv0.1.0

ClawScan security

Prompt to Drawio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 5:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill matches its stated purpose (prompt-to-drawio generation/edit/export) but contains a few behaviors—automatic .env discovery/loading and local-file ingestion for model calls—that could accidentally expose unrelated secrets or project data unless the user takes precautions.
Guidance: This skill appears to do what it claims (generate/edit/export draw.io diagrams using an LLM), but take these precautions before installing or running it: - Be aware the CLI auto-loads the nearest .env (searches upward) by default and will populate process env vars. If you have sensitive secrets in a project .env, those may be read and (if used as input) sent to the model endpoint. Run with --no-dotenv or set DRAWIO_DOTENV_FILE explicitly to avoid accidental loading. - The tool will ingest local files and URLs you pass with --file/--url and send their content to the model provider. Do not pass files that contain secrets or sensitive data unless you trust the provider. - Check the startup configuration summary the script prints (it masks keys but reports presence) to verify which key/base URL will be used. - If you plan to run inside an agent (in-session LLM mode), prefer that mode so the script does not need an external API key. - Review and/or run the included script in a controlled environment first (no sensitive .env nearby) to confirm behavior. If you are uncomfortable with automatic .env loading, always use --no-dotenv and provide keys explicitly via secure means. If you want, I can highlight the exact lines in the script that implement .env auto-loading, dotenv precedence, and the network fetches so you can review them more easily.

Review Dimensions

Purpose & Capability: okName/description align with what the code and SKILL.md do: generate/edit/export draw.io diagrams, ingest local files/URLs, lookup shape libraries, and run optional LLM-driven validation. Expected environment variables (API keys) are documented for standalone CLI mode.
Instruction Scope: concernRuntime instructions and the script ingest local files (text/pdf/image), fetch URLs, and by default auto-load the nearest .env upward from the current working directory. Those behaviors are within the declared functionality, but auto-loading a project .env and reading arbitrary context files means secrets or other sensitive project values can end up in the environment or be sent to remote model endpoints unless the user explicitly opts out.
Install Mechanism: okNo install spec in the registry (instruction-only). README suggests GitHub cloning or npx installer, and the script references public GitHub raw URLs for shape libraries and standard Docker image jgraph/drawio as fallback. No opaque external download URLs or extract-from-arbitrary-IP patterns were found.
Credentials: concernThe skill does not require credentials to be declared up-front, but the CLI supports/looks for DRAWIO_LLM_API_KEY, OPENAI_API_KEY and several related vars and will auto-load a nearby .env into the process environment. Auto-loading .env files (without explicit --no-dotenv) can pull unrelated secrets (AWS keys, DB passwords, etc.) into the process. This is plausible for a CLI that needs an LLM key, but the default upward-search dotenv behavior is a proportionality risk if the user is not aware.
Persistence & Privilege: okSkill is not marked always:true and does not declare system-wide configuration changes. It reads/writes files the user requests (out-drawio/out-image/backup) and prints a startup config summary; no evidence of modifying other skills or agent-wide settings.