ClawHub

Draw.io Professional Diagrams

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent draw.io diagram generator that writes local diagram files and exports images, with only minor scoping and dependency cautions.

Before installing, make sure draw.io is installed from an official or trusted source. Expect the skill to create files under ./diagrams and run draw.io export commands for PNG/SVG/PDF output; use clearer prompts when you do or do not want an actual draw.io diagram.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill description says to use this skill for any request involving "diagram," "table," or other broad visualization terms, which can cause the agent to invoke it for loosely related requests outside draw.io diagram generation. Overbroad triggers increase the chance of misrouting user intent, unnecessary tool execution, and unintended file generation/export behavior.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The invocation guidance includes generic keywords such as "diagram," "table," "entity," "class," and "flow" without scope constraints, making accidental activation plausible during normal conversation. In an agent environment, this can lead to the wrong skill taking control, creating files and running exports when the user did not actually ask for a draw.io artifact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal