ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Excalidraw Creator

v1.0.0

Create hand-drawn style Excalidraw diagrams, flowcharts, and architecture visuals as PNG images

0· 672·2 current·2 all-time
byPedro Gonzalez@plgonzalezrx8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included renderer code: render.js converts Excalidraw JSON into PNG using roughjs + resvg-js. The SKILL.md workflow (generate JSON → save to /tmp → node render.js → send PNG) aligns with the stated purpose.
Instruction Scope
SKILL.md stays within the diagram-rendering domain and does not request unrelated files or credentials. It does instruct writing JSON to /tmp and running render.js; render.js reads the input JSON (or stdin) and writes the PNG. SKILL.md does not explicitly document the runtime requirement for Node/npm or the setup script, which is an omission.
!
Install Mechanism
There is no registry install spec, but repository includes scripts/setup.sh which runs 'npm install' and downloads fonts from jsdelivr and a GitHub release. That means dependencies will be fetched from npm and external CDNs if the user runs setup.sh. The package sources are standard (npm, jsdelivr, GitHub), but absence of an official install step plus networked downloads increases operational risk and requires manual review before running.
Credentials
The skill declares no environment variables or credentials and the renderer code does not read env vars or network endpoints. The only external network activity is in setup.sh (font downloads). No unrelated secrets are requested.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request persistent system-wide changes or modify other skills. setup.sh writes to its own fonts directory and makes render.js executable; that's limited in scope.
What to consider before installing
This skill appears to actually implement an Excalidraw→PNG renderer and is not asking for credentials, but proceed cautiously: - Runtime prerequisites are not declared: you need Node.js (and npm) to run render.js/setup.sh; setup.sh also uses curl, unzip and optionally python3/fonttools. The registry metadata lists 'required binaries: none', which is inconsistent — assume Node/npm are required. - The provided setup.sh will run 'npm install' (pulling packages from npm) and download fonts from jsdelivr/github. Review package-lock.json and the dependencies (resvg-js, jsdom, roughjs and their transitive deps) before running npm install. - render.js itself performs only local file I/O (reads JSON input, writes PNG) and does not perform network calls or read environment secrets. The network activity is limited to the optional setup script. - If you plan to install/run this skill: run setup.sh and render.js in an isolated environment (container or VM), inspect package-lock.json for suspicious packages, and verify the downloaded font URLs. If you cannot review dependencies, avoid running npm install or run with a package-vetting process.

Like a lobster shell, security has layers — review code before you run it.

latestvk97412sdsf3xp1byygv74g3arh81cg7s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments