Render Academic Diagram Images from Code
v0.1.0High-fidelity diagram generation (Mermaid, D2, Graphviz) for autonomous agents. Supports local-first rendering and persistent run history.
⭐ 0· 46·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code (local_render.py, schema generator, and install.sh) aligns with a local-first renderer for Mermaid/D2/Graphviz. However the registry metadata claimed 'instruction-only' and 'no required binaries' while SKILL.md and scripts expect dot/d2/npm and include an install.sh — these metadata vs. implementation mismatches are unexpected and should be clarified.
Instruction Scope
SKILL.md instructs agents to create and read persistent run artifacts in ./runs/ and to open metadata.json to parse errors (consistent with self-correction). But scripts/test_render.py will POST rendering jobs to a remote API (EMERGENCE_API_URL) using EMERGENCE_API_KEY, which is a network transmission of user-provided diagram code; that network behavior is referenced in code but the endpoint env var (EMERGENCE_API_URL) is not declared in the skill manifest. Agents following the SKILL.md could therefore transmit diagrams externally unless the operator configures the environment carefully.
Install Mechanism
install.sh performs common tasks: apt/brew for graphviz, creates a Python venv, pip installs requirements, installs D2 via curl|sh from d2lang.com, and installs mermaid-cli via npm. The D2 curl|sh and sudo npm -g steps are common but higher-risk (remote script execution, global npm install). No unknown or clearly malicious URLs are used, but the install performs privileged operations and writes to disk.
Credentials
The skill declares EMERGENCE_API_KEY as required (reasonable for a cloud fallback). However the code also reads EMERGENCE_API_URL (defaults to http://localhost:8000) via dotenv and will send diagram content to that endpoint. EMERGENCE_API_URL is not declared in requires.env, and the skill's manifest earlier claimed no required binaries while SKILL.md lists dot, d2, npm. The undeclared API endpoint and mismatched manifests make credential and endpoint use unclear.
Persistence & Privilege
The skill writes persistent run artifacts to ./runs/ and creates a local .venv; it does not request always:true or attempt to modify other skills or global agent settings. Persistent storage is consistent with its self-correcting design.
What to consider before installing
This skill appears to implement a local-first renderer, but there are multiple inconsistencies you should address before installing: (1) The packaged files include an install.sh that will create a .venv, install system packages (apt/brew), run curl|sh to install D2, and run sudo npm -g for mermaid-cli—these steps require elevated privileges and will modify your system. (2) scripts/test_render.py will send diagram source to EMERGENCE_API_URL with EMERGENCE_API_KEY; EMERGENCE_API_URL is not declared in the manifest. If you do not want any network transmission, do not set EMERGENCE_API_KEY and ensure EMERGENCE_API_URL is unset or points to a safe local endpoint. (3) Metadata in the registry (no required binaries, 'instruction-only') does not match SKILL.md and the included scripts; ask the author/maintainer to reconcile the manifest, or review the repository yourself. Recommended steps: inspect install.sh and scripts locally, run in an isolated sandbox/VM, avoid running install.sh with sudo until you audit it, and set EMERGENCE_API_URL to a trusted endpoint (or leave unset) if you must provide EMERGENCE_API_KEY. If you need higher assurance, request the source repository and a maintainer statement explaining why the API endpoint env var is omitted from the manifest.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
EnvEMERGENCE_API_KEY
academicd2diagramgraphvizlatestlatexmermaidtikzuml
Diagram Rendering Skill (Internal Monologue)
You are an autonomous solver agent capable of transforming natural language into technical visuals. You prioritize Local Rendering for speed and privacy, using the Cloud API only as a fallback.
1. Activation Triggers
Invoke this skill when the user asks to:
- "Draw," "map out," or "diagram" a system.
- "Visualize" an architecture or cloud infrastructure.
- "Create a flowchart" or "sequence diagram."
- "Show me an ERD" or "database schema."
2. Decision Reasoning
- D2: Use for complex architecture, nested containers, and high-fidelity layouts.
- Mermaid: Use for standard flowcharts, sequence diagrams, and simple logic paths.
- Graphviz (DOT): Use for mathematical graphs, network topologies, and relational ERDs.
3. Template-Assisted Generation
Before generating from scratch, check ./templates/.
- These are "Gold Standard" examples.
- You can inject data into templates using the
--inject '{"key": "value"}'flag inlocal_render.py.
4. Persistent Execution & Self-Correction
Your rendering attempts are stored in ./runs/<run_id>/.
- Attempt Render: Call
./.venv/bin/python3 scripts/local_render.py <engine> "<code>". - Handle Failure: If the output is an error, open the
metadata.jsonin the specific run directory. - Parse Stderr: Read the compiler's
stderr. It will pinpoint the exact line and character of your syntax error. - Recursive Fix: Use the error feedback to fix your code and re-run. Do not give up until the
statusis"success".
5. Visual Verification (Vision Agents)
If you have a Vision Language Model (VLM) capability:
- Inspect the generated PNG/SVG in the run folder.
- Compare the visual output against the logical intent of the prompt.
- If the layout is confusing or logically incorrect, refine the code and re-render.
Comments
Loading comments...