Skillv1.0.0

ClawScan security

drawio-generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 1, 2026, 12:41 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill and its single script are coherent with the stated purpose (generating draw.io URLs from Mermaid/XML/CSV); it requests no credentials, has no install steps, and only builds a URL pointing to app.diagrams.net.
Guidance: This skill appears to be what it says: it builds a draw.io URL that embeds your diagram data and prints a markdown link. Before using it, consider: (1) The generated URL encodes your diagram content and when opened will send that content to app.diagrams.net — avoid embedding sensitive data in diagrams if you don't want it transmitted to a third party. (2) You can inspect or run the small Python script locally to verify behavior; it only encodes/compresses the input and constructs a URL. (3) Be cautious clicking links from untrusted sources; if you prefer not to send content to the web, use the draw.io desktop app or export diagrams locally.

Purpose & Capability: okName/description match the contained script and instructions. The included Python script takes diagram text, compresses and encodes it, and constructs a draw.io URL — exactly what the skill claims to do.
Instruction Scope: okSKILL.md instructs only to choose a format, write diagram code, and run the provided script. The instructions do not ask the agent to read unrelated files, access credentials, or transmit data to unexpected endpoints. The only external endpoint referenced is app.diagrams.net, consistent with the skill purpose.
Install Mechanism: okNo install spec (instruction-only with one script). No downloads, no package managers, and nothing is written to disk beyond the provided script. Low installation risk.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. The script does not access secrets or system configuration — proportional to the declared function.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent privileges. It does not modify other skills or system settings.