ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Contextweave Diagrams

v0.0.5

强大的AI自动化绘图与复杂信息可视化工具(基于 ContextWeave)。不仅支持代码与系统架构的可视化,更广泛适用于复杂逻辑梳理、知识库转换、业务流程图、思维导图及长文本的结构化信息图生成。通过深度的语义分析与请求编排,一键将晦涩文本与复杂知识转化为清晰直观的图形表达。

0· 145·0 current·0 all-time
byContextWeave@qhyw99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description describe a diagram-generation client; requesting CONTEXTWEAVE_MCP_API_KEY and CONTEXTWEAVE_API_URL and node is consistent with that purpose. However, the skill expects local Node scripts to exist for the actual backend invocation, yet no code or install spec is provided in the package — a mismatch between claimed capability and what is delivered.
!
Instruction Scope
SKILL.md explicitly instructs the agent to write an absolute-path input_file under .cw_skill/requests and then run a Node script (node scripts/generate_contextweave.cjs). It also requires strict JSON-only replies and session handling. The instructions forbid scanning user directories and sending unrelated local files (good), but they nonetheless require file I/O and execution of specific local scripts that are not present in this package, which is a significant operational gap and raises risk if the agent attempts to fetch or run missing code later.
Install Mechanism
No install spec is present (instruction-only). This minimizes on-disk install risk. The absence of an install step is coherent with an instruction-only client, but combined with the missing scripts it leaves unclear how required scripts should appear in the runtime environment.
Credentials
Only two environment variables are required: an API key (primary) and an API URL. These are proportionate to a remote diagram-generation service. SKILL.md explicitly forbids discovering credentials by scanning the filesystem, which is appropriate. There is no request for unrelated secrets or extra credentials.
Persistence & Privilege
always is false and the skill does not ask for system-wide changes or persistent installation. It writes files only to a scoped .cw_skill/requests directory in the workspace per its rules. There is no evidence it tries to modify other skills or agent-wide config.
What to consider before installing
This skill mostly makes sense for a client that calls a ContextWeave backend (node + API key + URL), but the SKILL.md requires running local Node scripts (scripts/generate_contextweave.cjs and scripts/cw_client.cjs) that are not included in the package and there is no install step. Before installing or enabling: 1) ask the publisher for the missing scripts or a verified install package (homepage/source are absent); 2) verify where those scripts would come from and inspect their code — do not run unknown Node scripts unreviewed; 3) confirm you’re comfortable granting the skill write access to the workspace (it will create .cw_skill/requests files) and provide only the dedicated API key (avoid reusing high-privilege credentials); 4) if you can’t obtain the implementation, treat this as incomplete and avoid enabling autonomous runs — run it manually in a sandboxed environment to test. If the author can provide repository/source or signed package containing the scripts, re-evaluate once code is available.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f7kx67h56chb9ze9jckrk2s83562w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binsnode
EnvCONTEXTWEAVE_MCP_API_KEY, CONTEXTWEAVE_API_URL
Primary envCONTEXTWEAVE_MCP_API_KEY

Comments