ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Diagram

v1.0.0

Generate diagrams from descriptions with Mermaid, PlantUML, or ASCII for architecture, flows, sequences, and data models.

2· 1.7k·15 current·16 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes producing Mermaid/PlantUML/ASCII diagrams and gives examples. Minor inconsistency: the doc shows invoking mermaid-cli via `npx` (which requires Node/npm) but the skill's required-binaries list is empty — the author didn't declare Node as a prerequisite.
Instruction Scope
Instructions stay on-topic: choose diagram type, produce Mermaid/PlantUML/ASCII, render to image or HTML. The document does not instruct reading unrelated files, environment variables, or exfiltrating data. Example commands (npx mmdc) are the only external runtime actions suggested.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However the SKILL.md recommends using `npx @mermaid-js/mermaid-cli` which will fetch and execute code from the npm registry at runtime — a common workflow but one that pulls remote code when executed.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate for a diagram helper.
Persistence & Privilege
always:false and no install or config changes are declared. The skill does not request persistent presence or elevated privileges.
Assessment
This skill is coherent and only provides instructions for producing diagrams. Before running commands the skill suggests (for example `npx @mermaid-js/mermaid-cli`), be aware those commands will download and run code from the npm registry and require Node/npm installed on the host. If you or your agent will execute shell commands, prefer installing and vetting the mermaid-cli package in advance (or use a trusted renderer/service) rather than blindly running on-demand `npx` installs. No credentials are requested by the skill, but as always be cautious about allowing any agent to execute arbitrary shell commands or install third-party packages.

Like a lobster shell, security has layers — review code before you run it.

latestvk976fkz7ng74h8qamfwr5h2fds8134sx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments