ClawHub

Mermaid Workflow Skill

Security checks across malware telemetry and agentic risk

Overview

This Mermaid diagram skill is coherent, but it needs Review because it normalizes running Chromium/Mermaid rendering with sandbox disabled and edits Markdown files in place.

Install only if you trust the Mermaid files being rendered or can run conversion inside a container/VM. Keep Chromium sandboxing enabled when possible, avoid automatic npx execution in sensitive environments, and use version control or backups before letting it modify Markdown files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"执行命令: {' '.join(cmd)}")
    
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        
        if result.returncode == 0:
            print(f"✅ Mermaid图表已转换为PNG: {output_file}")
Confidence
87% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd[0] = 'npx'
            cmd.insert(1, '@mermaid-js/mermaid-cli')
            
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
            if result.returncode == 0:
                print(f"✅ 使用npx转换成功: {output_file}")
                return True
Confidence
91% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly recommends Puppeteer args `--no-sandbox` and `--disable-setuid-sandbox` to work around Mermaid CLI launch issues, without a warning about the security tradeoff. Disabling Chromium sandboxing weakens process isolation and increases risk if untrusted Mermaid content or browser-exploitable input is rendered.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation condition includes a catch-all for essentially any Mermaid-supported chart type, which makes the skill eligible in a very broad set of situations. Overly broad activation increases the chance the agent invokes a workflow that writes files and runs local CLI tooling when the user did not explicitly request those side effects, creating unnecessary execution and file-modification risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly includes inserting images into Markdown and even replacing placeholders or inserting at specified positions, but the description does not foreground that it will modify existing Markdown content. This can lead to unintended document changes, overwrites, or content corruption if the skill is activated automatically or used on the wrong file.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill depends on executing external CLI tools such as Python scripts and Mermaid CLI, but the top-level description does not clearly warn users that shell commands will be run. Hidden or under-disclosed command execution is dangerous because it expands the trust boundary to local tooling, environment configuration, and any subprocess behavior, including browser-based rendering via Puppeteer.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal