Mermaid Image Generator
PassAudited by ClawScan on May 10, 2026.
Overview
This skill coherently converts Mermaid diagrams to images, with disclosed use of the mermaid.ink external API and a local curl command.
This appears safe for ordinary Mermaid diagram rendering. Before installing, understand that diagram content leaves your machine for mermaid.ink rendering, and the script uses local Node.js/curl to write an output image file. Avoid confidential diagrams unless you switch to a local renderer.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can run curl and write an output file chosen by the command arguments.
The skill runs the local curl binary to download the rendered image. This is disclosed and purpose-aligned, but users should notice that local command execution is part of the workflow.
const result = spawnSync('curl', ['-sL', url, '-o', outputPath], {Use it in a normal trusted local environment, keep curl/Node.js trusted, and choose output paths deliberately.
Anything included in the Mermaid diagram may be transmitted to mermaid.ink for rendering.
The skill explicitly discloses that Mermaid diagram text is sent to an external rendering service, which matters if diagrams include confidential architecture, business, or personal information.
Diagram code is sent to mermaid.ink API - Do not include sensitive information in diagrams
Do not use this skill for sensitive diagrams; use a local Mermaid renderer instead when confidentiality matters.
The skill may fail or behave differently depending on the local Node.js and curl available on the system.
The registry metadata does not declare runtime binaries, while the provided skill documentation and script rely on Node.js and curl. This is a dependency declaration clarity issue, not evidence of malicious behavior.
Required binaries (all must exist): none No install spec — this is an instruction-only skill.
Verify that Node.js and curl are installed from trusted sources before using the skill.