Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
diagram-generator
v1.1.1生成和编辑各种类型的图表(drawio、mermaid、excalidraw)。支持流程图、时序图、类图、ER图、思维导图、架构图、网络拓扑图等常见图表类型。能够根据自然语言描述创建新图表,也能读取并修改已有的 drawio/mermaid/excalidraw 文件。使用独立的 MCP server (mcp-diagram-generator) 生成图表文件,减少 token 消耗并保证输出一致性。支持自动配置管理,默认输出路径为项目目录下的 diagrams/{format}/,支持自定义路径和自动创建目录。
⭐ 33· 17.9k·185 current·192 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (generate & edit drawio/mermaid/excalidraw) matches the instructions: it builds JSON specs and calls an MCP server to produce files. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md confines actions to creating JSON specs, validating them against the included schema, and calling the mcp-diagram-generator MCP server. It only references project-local output paths and a per-skill config file (.diagram-config.json). There are no instructions to read unrelated system files or exfiltrate data.
Install Mechanism
There is no built-in installer in the skill (instruction-only). The doc recommends configuring an MCP server to be auto-started via 'npx -y mcp-diagram-generator' — this will download and run code from the npm registry. That is a normal convenience but is a supply-chain risk (npm package code executes locally). If you prefer, the skill also documents running a local node path for development.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The declared requirements match the instructions (the only external dependency is the MCP server). There are no unexplained SECRET/TOKEN/KEY requests.
Persistence & Privilege
The skill is not always-enabled and does not request elevated agent privileges. It will create a local .diagram-config.json and directories under the project (diagrams/{format}/) — behavior consistent with its purpose.
Assessment
This skill looks coherent: it generates JSON specs and delegates file generation to an 'mcp-diagram-generator' MCP server. Before installing or configuring the MCP auto-download (npx -y mcp-diagram-generator), verify the npm package/source: check the package homepage/repository, review its code or recent maintainer activity, and prefer installing from a trusted release or using a local copy if you have doubts. If you must use npx, consider running it in an isolated environment/container and inspect the created .diagram-config.json for unexpected behaviors. Because the skill doesn't request credentials or access system paths beyond project directories, its direct privilege needs are low — the main risk is the external package you choose to run.Like a lobster shell, security has layers — review code before you run it.
latestvk9797ne11pghqwk9e45hm6954s80h1tt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.