Back to skill
Skillv0.1.0
VirusTotal security
Prompt to Drawio · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:57 AM
- Hash
- cea21637b55ae0e100b27cde99c12f1dea4602e3d710cd9b828b4df16aa9a3b9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: prompt-to-drawio Version: 0.1.0 The skill bundle provides a CLI tool for generating and editing draw.io diagrams via LLM APIs, but it includes several high-risk capabilities. Specifically, the script `scripts/prompt_to_drawio.py` performs subprocess execution (`subprocess.run`) to invoke local binaries like `drawio`, `docker`, and `gh`, and it fetches arbitrary remote content via `urllib.request.urlopen` for URL-based context ingestion. Additionally, the script implements an aggressive configuration discovery mechanism (`bootstrap_project_env`) that searches for and loads `.env` files from the current working directory up through all parent directories, which could lead to unintended secret exposure. While these features are aligned with the stated purpose of diagram generation and rendering, the combination of shell, network, and broad file access qualifies the bundle as suspicious.
- External report
- View on VirusTotal