Mermaid Diagrams
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user chooses this install path, they rely on the current remote source and npx behavior.
The README documents a user-run remote install path that is not pinned to a specific commit or version. This is disclosed setup guidance, not hidden execution.
npx add https://github.com/wpank/ai/tree/main/skills/writing/mermaid-diagrams
Prefer the registry install path or verify/pin the remote source before running installer commands.
Using the CLI runs locally installed third-party software, though this is purpose-aligned for rendering Mermaid diagrams.
The skill suggests an optional third-party CLI for exporting diagrams, which entails local package installation and command execution if the user chooses to use it.
Mermaid CLI — `npm install -g @mermaid-js/mermaid-cli` then `mmdc -i input.mmd -o output.png`
Install Mermaid CLI only from trusted package sources, consider pinning versions, and avoid running it on untrusted diagram files.
Confidential system architecture or data-flow details could be exposed to an external website if the online editor is used.
The optional online editor may receive diagram contents if a user pastes or opens sensitive architecture diagrams there.
[Mermaid Live Editor](https://mermaid.live) — online editor with PNG/SVG export
Use local rendering tools for sensitive diagrams and avoid including secrets or private infrastructure details in online editors.