ClawHub

Architecture Diagram

Security checks across malware telemetry and agentic risk

Overview

This skill generates Mermaid architecture diagrams and can render them through Kroki, with a privacy caveat for sensitive diagrams.

Install is reasonable if you are comfortable using an external renderer. Do not send secrets, private network topology, internal hostnames, account IDs, or confidential architecture details to Kroki or mermaid.live; use Mermaid code output or a local/internal renderer for sensitive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill includes code and instructions that perform outbound network access to kroki.io and write image data to a local file, yet no permissions are declared. This creates a transparency and policy-enforcement gap: a host may allow the skill to run under the assumption that it is documentation-only or low-risk, while it can actually exfiltrate user-supplied diagram content to a third party and persist files locally.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The quick-start examples are highly generic phrases like 'architecture cloud aws', 'diagram neural network', and 'mermaid flowchart', which can cause the skill to activate on broad, ordinary user requests instead of only when explicitly invoking this tool. Over-broad activation increases the chance of unintended routing, prompt collisions with other skills, and accidental exfiltration of user context to this skill's rendering workflow or external services referenced by the skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs sending Mermaid diagram content to the external Kroki API without warning users that their prompts, architecture details, or internal system designs may leave the local environment. In the context of an architecture-diagram skill, users are especially likely to include sensitive infrastructure, network topology, or database information, making silent third-party transmission more dangerous than in a generic image tool.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends diagram content to the external Kroki service without an explicit warning or consent step, which can leak sensitive architecture details, internal topology, or proprietary system design off-host. In the context of an architecture-diagram skill, users are especially likely to provide confidential infrastructure information, making silent transmission materially risky.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal