ClawHub

PM Toolkit - Excalidraw - "Messy Thoughts" to "Visual Spec" in 30 seconds.

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: thought-to-excalidraw Version: 1.0.0 The skill is designed to visualize product manager thoughts into an Excalidraw diagram. The `SKILL.md` instructions guide the agent to parse user input, create a temporary JSON file, execute a local Python script (`scripts/layout_diagram.py`) to generate an `.excalidraw` file in a user-owned directory (`~/Downloads/Documents/PM_Visuals/`), and then clean up. The Python script itself only performs local file I/O, reading the temporary JSON and writing the Excalidraw output. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts aimed at harmful actions. All operations are aligned with the stated purpose.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI05: Unexpected Code Execution
What this means

Installing and using the skill means allowing a local helper script to run and create files on the machine.

Why it was flagged

The skill directs the agent/user to execute a bundled local Python script and write an output diagram file. This is expected for the stated purpose and the visible code uses local JSON/file operations rather than network or credential access.

Skill content
python3 skills/pm-visualizer/scripts/layout_diagram.py temp_visual_data.json ~/Downloads/Documents/PM_Visuals/Output_Name.excalidraw
Recommendation

Keep the output path in a normal user-writable folder and review generated files before sharing them.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users must rely on the provided artifact contents rather than an external project page or repository for trust context.

Why it was flagged

The skill includes runnable local code but does not provide an external source or homepage for provenance. The referenced script is included in the artifact set and no remote install, unpinned package, or hidden dependency is shown.

Skill content
Source: unknown; Homepage: none
Recommendation

Review the bundled script before use if provenance matters in your environment.