cpn_modeling_tool
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: cpn-modeling Version: 1.0.3 The cpn-modeling skill bundle is a legitimate tool designed to assist users in creating Colored Petri Net (CPN) models for business processes. It provides structured guidance for an AI agent to extract model components from user descriptions and generate outputs in JSON, CPN Tools XML, and interactive HTML formats. The skill uses standard file-writing operations to save visualizations to a temporary directory (/tmp) and provides users with platform-specific commands (e.g., open, xdg-open) to view the results. Analysis of the code and instructions, including the HTML/JavaScript visualization template (html-viz-template.md), reveals no evidence of malicious intent, data exfiltration, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create a local HTML file on your machine for the visualization.
The skill explicitly directs the agent to use a file-writing tool to create a local HTML visualization. This is aligned with the stated visualization purpose and scoped to /tmp, but users should know a file will be created.
使用 Write 工具直接写入文件,**不要**把 HTML 内容输出到对话中 - 写入路径:`/tmp/<project_id>.html`
Use simple safe project IDs, avoid path-like names, and delete the generated /tmp HTML file when you no longer need it.
When you open the generated HTML file, your browser runs the visualization script locally.
The generated visualization is an HTML page with JavaScript for animation and controls. This is expected for the feature and no external network behavior is shown in the provided visible template, but opening the file will run local browser JavaScript.
const data = __CPN_DATA__; ... <button id="btn-auto" onclick="toggleAuto()">▶ 自动运行</button>
Open the generated HTML only when you intended to create the visualization; inspect the file first if the model content came from untrusted input.