Mindmap Generator
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims—create mindmap images and send them to Telegram—but users should notice its Telegram credential use, external delivery, and runtime Mermaid CLI dependency.
This skill looks purpose-aligned. Before installing, make sure you are comfortable with mindmap content being sent through Telegram, use a dedicated Telegram bot token, verify the destination chat, and consider preinstalling a pinned Mermaid CLI version instead of relying on runtime npx installation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Telegram bot token can send messages/photos as that bot, so exposure or overly broad bot access could affect the user's Telegram chats.
The sender needs a Telegram bot credential to post photos. This is expected for Telegram delivery, but the registry metadata declares no required env vars or primary credential.
BOT_TOKEN="${4:-${TELEGRAM_BOT_TOKEN:?Set TELEGRAM_BOT_TOKEN env var or pass as 4th argument}}"Use a dedicated Telegram bot token limited to the intended chats, keep it out of logs, revoke it if exposed, and declare TELEGRAM_BOT_TOKEN in the skill metadata.
Private priorities, meeting notes, decisions, or calendar-derived summaries may become visible in the selected Telegram chat.
Generated PNG files and captions are sent to Telegram's Bot API. This is the stated delivery mechanism, but it means mindmap content leaves the local agent environment.
TELEGRAM_API="https://api.telegram.org/bot${BOT_TOKEN}/sendPhoto"Only use the skill for content you are comfortable sending through Telegram, and verify the chat_id and bot access before sending sensitive mindmaps.
The first render may execute code fetched from npm, and future package changes could affect behavior or reliability.
If mermaid-cli is not already installed, the renderer may download and run an unpinned npm package at runtime. This is purpose-aligned but has normal npm supply-chain risk.
MMDC_CMD="npx -y @mermaid-js/mermaid-cli"
Prefer installing a reviewed, pinned version of @mermaid-js/mermaid-cli in advance and running the renderer in a constrained environment.