ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mermaid Renderer

v1.0.0

渲染 Mermaid 图表。当用户需要可视化展示流程图、时序图、类图、饼图、Git分支图等图表时使用。支持两种输出模式:1) 终端 ASCII 文本输出(默认);2) 图片文件导出(指定 --image/--png 参数)。触发场景包括"画个流程图"、"生成时序图"、"渲染Mermaid图表"、"导出图表为图片"等。

0· 76·1 current·1 all-time
by@smallnest
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and scripts/render.py align: the code parses Mermaid text and renders either terminal ASCII (via termaid) or PNGs (via matplotlib). Supported chart types in references/chart-types.md match the parser's branches. This is internally coherent for a renderer.
!
Instruction Scope
SKILL.md instructs using `python3.11 -m termaid` for terminal output and calling scripts/render.py for images — that matches the code. However SKILL.md also states that generated PNGs are 'uploaded to BOS' but there are no declared env vars, config paths, or instructions for credentials; the visible portion of scripts/render.py does not show an upload implementation (file is truncated), creating an unexplained behavior gap.
Install Mechanism
There is no install spec (instruction-only skill), and the included script expects Python 3.11 plus third-party packages (termaid, matplotlib, numpy). That is low-risk as long as you trust and install those packages yourself; the skill does not download arbitrary code at install time.
!
Credentials
The skill declares no required environment variables or credentials, yet SKILL.md mentions uploading images to 'BOS' (object storage), which would normally require credentials (API key/secret). This mismatch is a red flag: either the upload is not implemented or it expects hidden/default credentials — neither is declared.
Persistence & Privilege
The skill does not request always:true or any persistent/system-wide changes. It is user-invocable and allows autonomous invocation (platform default), which is normal for a skill of this type.
What to consider before installing
Before installing or enabling: 1) Inspect the full scripts/render.py to confirm whether it uploads PNGs and to which endpoint; if it uploads to 'BOS' look for explicit upload code and what credentials/env vars it uses. 2) If you expect image upload, require the maintainer to declare which env vars are needed (and why) — do not supply cloud credentials until you verify the destination and access scope. 3) Ensure required Python packages (termaid, matplotlib, numpy) are installed from trusted sources; termaid is invoked as a module so review its behavior. 4) Run the skill in a sandbox or with limited privileges first to observe network activity. 5) If you cannot review the remaining part of render.py or the author/source is unknown, avoid supplying secrets or enabling automatic uploads — consider editing the script to save images locally only.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjrnn666kjdb3rk5k8reyn183k2k2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments