Back to skill
Skillv1.0.0
VirusTotal security
Mermaid Workflow Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:54 AM
- Hash
- 7f12526cc555d13430de327d8aaa2faa7e01cb17bd8a3f4037d7ef1e916812bd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mermaid-workflow-skill Version: 1.0.0 The skill's core purpose of creating, converting, and inserting Mermaid diagrams is benign. However, it is classified as 'suspicious' due to the explicit and repeated use of the `--no-sandbox` flag for Puppeteer/Chromium in `SKILL.md`, `quick_start.sh`, and `scripts/convert_mermaid.py`. This disables a critical security feature, making the system vulnerable to potential sandbox escapes if `mmdc` processes untrusted input. Additionally, `scripts/convert_mermaid.py` executes external commands via `subprocess.run` and `scripts/create_mermaid.py` embeds user input directly into Mermaid templates, which, without robust sanitization, could introduce command injection or rendering-based vulnerabilities, although no clear malicious intent for self-exploitation is observed. There is no evidence of data exfiltration, persistence, or other malicious activities.
- External report
- View on VirusTotal