Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mermaid Image Export
v1.0.0Mermaid diagram image export using mermaid-cli. When Claude needs to export Mermaid diagrams as high-quality images (PNG, SVG, PDF) for documentation, presen...
⭐ 0· 73·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and SKILL.md describe a mermaid-cli image exporter and included scripts (export_mermaid_image.py, install_mermaid_cli.py, batch_export.sh) implement that purpose. However the registry metadata lists no required binaries or environment variables while the documentation repeatedly requires Node.js, npm, mermaid-cli (mmdc) and Chrome/Chromium. The omission in declared requirements is an inconsistency worth noting.
Instruction Scope
Runtime instructions are focused on exporting diagrams via mermaid-cli/Puppeteer and reference creating temporary .mmd files, running mmdc (or npx mmdc) and setting env vars like PUPPETEER_EXECUTABLE_PATH, MMDC_TIMEOUT, NODE_OPTIONS, and PUPPETEER_ARGS. The instructions do not direct data to external endpoints or request credentials, but they do instruct installing global npm packages and disabling Puppeteer sandbox in CI/docker guidance (e.g., --no-sandbox), which broadens the runtime capabilities and can reduce containment.
Install Mechanism
There is no formal install spec in the registry; installation is handled by included scripts and by instructing the user to run npm install -g @mermaid-js/mermaid-cli and to install Chrome/Chromium. Using npm/global installs and Puppeteer is common for this functionality (moderate risk) but the lack of an explicit, auditable install manifest in the registry and the reliance on executing install helper scripts increases the risk compared to an instruction-only skill.
Credentials
The skill declares no required environment variables or credentials, yet documentation and code reference several env vars (PUPPETEER_EXECUTABLE_PATH, MMDC_TIMEOUT, NODE_OPTIONS, PUPPETEER_ARGS) and suggest changing PATH and npm global installs. While none are secrets, the skill asks for environment modifications and may run commands that rely on system binaries and global npm packages — the registry should have declared Node/Chrome as required binaries to match the real needs.
Persistence & Privilege
The skill does not request always:true, does not declare persistent credentials, and does not claim to modify other skills or global Claw settings. It operates via scripts invoked at runtime and therefore has normal, limited persistence/privilege for a tooling skill.
What to consider before installing
This package appears to implement a legitimate mermaid-cli exporter, but there are inconsistencies you should clear up before installing: 1) The registry metadata omits the real requirements (Node.js, npm, Chrome/Chromium, mermaid-cli). Treat the included install helper scripts as code you will run locally. 2) Inspect scripts/export_mermaid_image.py and scripts/install_mermaid_cli.py for any subprocess calls (they likely call mmdc/npx and spawn Chrome); confirm they only run expected commands and do not call unexpected network endpoints. 3) Avoid running npm global installs or running with --no-sandbox on sensitive hosts; prefer running the skill inside a sandbox/container or CI runner. 4) If you need to trust the source, verify repository links and authorship (package.json repository points to a different project). If you are not comfortable auditing the scripts, run this in an isolated environment (container or VM) or use a known mermaid-cli installation you manage yourself and configure the skill to use that (e.g., specify --mermaid-cmd 'npx mmdc' or path to your mmdc).Like a lobster shell, security has layers — review code before you run it.
latestvk97fj1dwyy7j6s6rq8zpw9gtgh83jerd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.