Back to skill
Skillv1.0.0
ClawScan security
Mermaid Image Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 7:29 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says — a small Node script that encodes Mermaid text and fetches PNG/SVG from mermaid.ink — and its requirements and behavior are largely consistent with the description.
- Guidance
- This skill is internally coherent and appears safe for normal use, but check a few things before installing: 1) The script requires the curl binary (it will fail if curl is absent) — ensure curl is available or modify the script to use Node https. 2) Diagram source is sent to mermaid.ink — do not send sensitive or private information. 3) Review the small script yourself (it’s short) to confirm it matches your expectations; run in an isolated environment if you have stricter privacy requirements. 4) Be aware of network access, service rate limits, and the mermaid.ink privacy/policy if you plan to process many diagrams.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the included script and instructions: it encodes Mermaid and calls mermaid.ink. Minor inconsistency: SKILL.md advertises "zero dependencies" and the registry lists no required binaries, but the script calls the external 'curl' binary via spawnSync; if curl is not present the script will fail. This is a small mismatch but explainable.
- Instruction Scope
- okRuntime instructions and the script stay within scope: read Mermaid from file/stdin, base64-encode, call mermaid.ink, write image file. The SKILL.md explicitly warns that diagram code is sent to an external service and advises against including sensitive data.
- Install Mechanism
- okNo install spec (instruction-only) and the code does not download or execute third-party archives. The script spawns curl to fetch images; there is no remote install/download of code beyond contacting the mermaid.ink rendering endpoint.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script does not attempt to read unrelated configuration or secrets.
- Persistence & Privilege
- okThe skill does not request persistent/always-on privileges and only writes the requested output file(s). It does not modify other skills or system-wide agent settings.