Excalidraw Creator
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for rendering Excalidraw-style diagrams, but users should notice that it runs a local Node.js renderer and its setup script can install packages and download fonts.
This looks safe for its intended purpose. Before installing, be aware that it relies on a local Node.js renderer and that its setup script can install npm packages and download fonts from external sources. Avoid using it on sensitive diagram content unless you are comfortable sending the generated PNG through your normal message/file workflow.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may run local JavaScript to convert diagram JSON into an image file.
The skill instructs the agent to run a local Node.js script to render the diagram. This is expected for its PNG-rendering purpose, but users should know installation enables local code execution.
`node <skill_dir>/scripts/render.js /tmp/<name>.excalidraw /tmp/<name>.png`
Use it when you are comfortable with a local renderer being executed, and keep generated input/output paths scoped to temporary or project-specific files.
Running setup may contact npm, jsDelivr, and GitHub to install renderer dependencies and fonts.
The setup script installs npm dependencies and downloads font assets from external sources. These downloads are purpose-aligned for rendering diagrams, but they are not declared in the registry install spec.
`npm install` ... `curl -sL "https://cdn.jsdelivr.net/.../Virgil.woff2"` ... `curl -sL "https://github.com/microsoft/cascadia-code/...zip"`
Review the setup script and dependency sources before running setup, especially in restricted or high-trust environments.