diagram-generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent diagram-generation helper, with the main cautions being its disclosed use of an unpinned external MCP server and its ability to create or edit diagram files.
Before enabling this skill, verify the external mcp-diagram-generator package, prefer project-level MCP configuration over global configuration when possible, and review output paths before creating or editing files. Avoid putting confidential infrastructure details into diagrams unless you trust the configured MCP server.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing as documented will run an external MCP package in the user's Claude/MCP environment.
The documented setup runs a separately distributed, unpinned npm package as an MCP server. This is disclosed and purpose-aligned, but it is a supply-chain item users should verify.
"command": "npx", "args": ["-y", "mcp-diagram-generator"] ... "The MCP server will auto-download via npx on first use"
Verify the mcp-diagram-generator package and maintainer, pin a version if possible, and prefer project-level configuration when only one project needs it.
A mistaken file selection or output path could change existing diagram files or create directories outside the intended location.
The skill can direct a tool to modify existing diagram files and create/write diagram outputs. This is expected for a diagram editor, but file targets should be reviewed.
Legacy File Support: Read and modify existing .drawio, .mmd (Mermaid), or Excalidraw files ... Supports custom file paths and automatic directory creation.
Use project-local paths, review target filenames before generation or edits, and keep diagrams under version control or backed up.
Sensitive architecture, system, or network-topology details included in a diagram will be processed by the configured MCP server.
Diagram content is passed from the agent to a configured MCP server. This is disclosed and necessary for the skill, but the server should be trusted if diagrams contain sensitive architecture or network details.
delegating file generation to the mcp-diagram-generator MCP server ... Call `generate_diagram` with only `diagram_spec` parameter
Use a trusted MCP server configuration and avoid including confidential infrastructure details unless you have verified the package and its behavior.