Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Mermaid Diagrams
v1.0.0Generate architecture diagrams (network, system, cloud, microservices) and sequence diagrams (API flows, auth flows, data flows) as PNG files using Mermaid....
⭐ 0· 216·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: generate Mermaid .mmd files and render PNGs. The required capabilities are minimal and consistent. Note: SKILL.md hardcodes a user-specific path (/home/bcaddy/.openclaw/workspace/diagrams), which is an operational assumption that may not fit other environments.
Instruction Scope
Instructions require encoding the entire .mmd content and invoking https://mermaid.ink/img/<BASE64> via curl. This sends diagram source to an external service (third party). Diagrams often contain sensitive internal details (hostnames, IPs, architecture notes, or credentials if accidentally included), so this is a potential data‑exfiltration/privacy risk. Using a GET path with base64 also exposes content in logs, referrers, and proxies and may hit URL length limits. The skill does not instruct any local/offline rendering alternative.
Install Mechanism
Instruction-only skill; no install spec or downloaded code. Low installation risk because nothing is written to disk by an installer beyond the .mmd and .png files the agent would create per instructions.
Credentials
No environment variables or credentials are required — appropriate and minimal. Observe however the hardcoded filesystem path using a specific username (bcaddy), which is unexpected and could cause failures or accidental writes in other environments.
Persistence & Privilege
Does not request persistent privileges, always:false, and doesn't modify other skills or system-wide settings. It will write output files to the workspace directory per its instructions (normal for this functionality).
What to consider before installing
This skill will produce Mermaid .mmd files locally but then sends the diagram source to mermaid.ink by embedding the base64-encoded .mmd in the URL. Before installing or using it, consider: (1) Do not include any sensitive information (internal hostnames, IP ranges, credentials, tokens, or proprietary architecture text) in diagrams you render with this skill, because that content will be transmitted to a third-party service and may appear in logs or proxies. (2) The use of a GET URL with base64 can leak content in web server logs, referrers, or proxies and may hit URL length limits; prefer rendering methods that POST the payload or render locally. (3) The SKILL.md hardcodes /home/bcaddy/...; update the output directory to a path appropriate for your environment to avoid accidental writes or permission errors. (4) If you need offline/private rendering, use a local renderer (mermaid-cli mmdc or a self-hosted renderer) instead of mermaid.ink. If you want me to, I can suggest a safer SKILL.md that renders locally or uses a POST-based renderer, or point you to commands to install mermaid-cli for offline rendering.Like a lobster shell, security has layers — review code before you run it.
latestvk970a8kj2s8x5e3sj4nmjbpmah82vgtq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.