Mindflow
PassAudited by ClawScan on May 1, 2026.
Overview
Mindflow appears to be a coherent local mind-map image converter, with the main cautions being unpinned JavaScript dependencies and local headless-browser rendering.
This skill looks safe for its stated purpose. Before installing, be comfortable with installing the listed Node/Bun packages and rendering local HTML with Puppeteer. Use it only on files you intend to convert, and avoid feeding arbitrary untrusted HTML directly into the bundled converter.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may require pulling third-party packages from the JavaScript ecosystem.
The skill relies on external JavaScript packages installed without pinned versions or a lockfile shown in the artifacts. This is purpose-aligned for Markmap/Puppeteer rendering, but users should be aware of normal package supply-chain risk.
npm install markmap-cli markmap-lib markmap-render puppeteer
Install dependencies from trusted registries, prefer pinned versions or a lockfile when possible, and review package provenance before use.
If used on malicious or unexpected HTML, the rendering step has a larger local security surface than a purely static image converter.
The bundled converter renders HTML through headless Chromium with the browser sandbox disabled. Browser rendering is expected for HTML-to-image conversion, but the disabled sandbox increases the importance of using intended/generated HTML inputs.
puppeteer.launch({
headless: true,
args: ['--no-sandbox', '--disable-setuid-sandbox']
})Use the script on HTML generated by the skill workflow or other trusted files, and consider enabling Chromium sandboxing in environments that support it.