ClawHub

ISAI Mermaid Diagrams

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent diagram-generation skill, but it renders diagrams through the external mermaid.ink service, so diagram contents may leave your environment.

This appears safe for ordinary diagram generation. Before using it with proprietary network maps, architecture diagrams, authentication flows, or data-flow diagrams, consider redacting sensitive details or using a local Mermaid renderer instead of mermaid.ink.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Confidential diagram details could be visible to or logged by the external rendering service.

Why it was flagged

The rendering workflow sends the base64-encoded Mermaid diagram source to the external mermaid.ink service; diagrams about architecture, networks, APIs, auth, or data flows can contain sensitive system information.

Skill content
curl -s "https://mermaid.ink/img/${ENCODED}?bgColor=white&width=2048" -o /home/bcaddy/.openclaw/workspace/diagrams/<name>.png
Recommendation

Use the online renderer only for non-sensitive diagrams, or render locally for proprietary architecture, network, authentication, or data-flow content.

#ASI09: Human-Agent Trust Exploitation
Info
What this means

A user may not immediately realize the default workflow uses a third-party web service instead of only local rendering.

Why it was flagged

The skill text mentions both a local mmdc CLI and the online mermaid.ink renderer. The online renderer is disclosed, but the inconsistency could cause a user to misunderstand whether rendering is local or remote.

Skill content
Generates Mermaid diagrams and renders them to PNG using the `mmdc` CLI. ... Use **mermaid.ink** (free online renderer, no browser/install needed)
Recommendation

Clarify the skill documentation to state that mermaid.ink is the default renderer, or provide a local rendering option when privacy matters.