Mermaid Diagrams
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mermaid-diagrams Version: 0.1.0 The skill bundle consists entirely of documentation files (`.md`) and a metadata file (`_meta.json`). There is no executable code within the bundle itself. The markdown files provide instructions and examples for generating Mermaid diagrams, which aligns perfectly with the stated purpose of the skill. Installation instructions involve standard `npx` commands or file copying, which are for the user/system to install the skill, not for the AI agent to execute as part of its runtime. No evidence of prompt injection, data exfiltration, malicious execution, or other harmful behaviors was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user chooses this install path, they rely on the current remote source and npx behavior.
The README documents a user-run remote install path that is not pinned to a specific commit or version. This is disclosed setup guidance, not hidden execution.
npx add https://github.com/wpank/ai/tree/main/skills/writing/mermaid-diagrams
Prefer the registry install path or verify/pin the remote source before running installer commands.
Using the CLI runs locally installed third-party software, though this is purpose-aligned for rendering Mermaid diagrams.
The skill suggests an optional third-party CLI for exporting diagrams, which entails local package installation and command execution if the user chooses to use it.
Mermaid CLI — `npm install -g @mermaid-js/mermaid-cli` then `mmdc -i input.mmd -o output.png`
Install Mermaid CLI only from trusted package sources, consider pinning versions, and avoid running it on untrusted diagram files.
Confidential system architecture or data-flow details could be exposed to an external website if the online editor is used.
The optional online editor may receive diagram contents if a user pastes or opens sensitive architecture diagrams there.
[Mermaid Live Editor](https://mermaid.live) — online editor with PNG/SVG export
Use local rendering tools for sensitive diagrams and avoid including secrets or private infrastructure details in online editors.