ClawHub
Back to skill
v1.0.0

AI Mermaid Diagrams

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:07 AM.

Analysis

This instruction-only skill is coherent for generating Mermaid diagrams, but users should notice that rendered diagrams are sent to the external mermaid.ink service.

GuidanceThis skill appears safe for ordinary diagram generation. Before using it for proprietary architecture, network topology, authentication flows, or security diagrams, be aware that the Mermaid source is sent to mermaid.ink for rendering and saved under the workspace diagrams directory.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.

The registry metadata declares no required binaries or install step, while the SKILL.md workflow uses shell utilities such as mkdir, base64, and curl. This is a minor dependency declaration gap rather than a hidden behavior.

User impactThe skill may require common command-line tools and outbound network access even though the metadata does not declare them.
RecommendationConfirm the environment has the needed utilities and that outbound access to mermaid.ink is acceptable before using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -s "https://mermaid.ink/img/${ENCODED}?bgColor=white&width=2048"

The skill renders diagrams by sending base64-encoded Mermaid content to the external mermaid.ink service. This is disclosed and purpose-aligned, but architecture or authentication diagrams may contain sensitive system details.

User impactDiagram text may be transmitted to a third-party rendering service, even if the output file is saved locally.
RecommendationAvoid including secrets or confidential infrastructure details in diagrams sent to mermaid.ink; use a local Mermaid renderer if diagrams are sensitive.