Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

drawio-AI-maker

v1.0.2

将自然语言或文档(docx/pdf/txt)转换为 draw.io 可编辑 XML 图表(.drawio 文件)。当用户说"画个流程图"、"生成图表"、"画架构图/时序图/网络拓扑图"、"帮我画xxx流程"、"生成draw.io"等时自动触发。使用流程:接收描述→生成JSON→用户确认→调用gen.py生成.dr...

1· 95·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (natural language/doc → draw.io XML) aligns with included modules (parser, designer, generator, validator, gen.py). The code implements JSON→XML conversion, layout, validation and file output which are expected for this functionality.
Instruction Scope
SKILL.md and __main__.py restrict actions to: accept text/files, ask host agent/LLM to produce JSON, validate JSON/XML, write a .drawio file to an output directory. The runtime instructions do not attempt to read unrelated secrets or send data to external endpoints. Note: default output directory is a hard-coded absolute path (/Users/owen/Desktop/drawio-generator/) which will write to the user's filesystem unless overridden.
Install Mechanism
No install spec; the skill is instruction + code only. There are optional Python library dependencies (python-docx, pdfplumber) declared in SKILL.md for docx/pdf parsing — these are reasonable and documented. No downloads or network installers are present.
Credentials
The skill does not request credentials or environment variables except an optional DRAWIO_OUTPUT_DIR to override the default output directory. That is proportionate. However the default hard-coded path targets a specific user's Desktop (suggests packaging from a developer machine) — this is a usability/incoherence concern (may create files in unexpected locations).
Persistence & Privilege
always is false and the skill does not declare or attempt to persist or modify other skills or system-wide agent settings. It only writes output files to a directory (expected for this functionality).
What to consider before installing
This skill appears to implement the described draw.io generator, but I found a few problems you should consider before installing or running it: - Missing module: scripts/__init__.py imports renderer functions (render_to_png, render_to_svg, check_drawio_available) but there is no renderer.py in the package. This likely causes ImportError or runtime failures in some paths. Ask the author for the missing file or remove references. - Hard-coded output path: the default output directory is /Users/owen/Desktop/drawio-generator/. If you run the skill without setting DRAWIO_OUTPUT_DIR or --output-dir it will attempt to write there. Override the directory explicitly and run in a safe directory (or a sandbox) to avoid unexpected file writes. - Minor internal inconsistencies: comments and some schema/validator notes don't line up exactly with constants used in code (e.g., ID ranges and comment text). These are probably bugs, not malicious intent, but they can cause the tool to reject valid outputs or misbehave. - File parsing dependencies: to parse .docx/.pdf you must install python-docx and pdfplumber locally; the code will raise ImportError if not present. That behavior is documented. - No network/exfiltration seen: I did not find network calls, external endpoints, or credential access. The skill asks the host agent to call an LLM (MiniMax) to produce JSON — make sure you trust the agent/LLM and are comfortable that any sensitive diagram content would be sent to it. Recommendations: run this in a sandbox or isolated environment first; set DRAWIO_OUTPUT_DIR to a directory you control; inspect/fix the missing renderer dependency before relying on it; and if you plan to process sensitive documents, ensure the LLM invocation path (the 'main agent' call) conforms to your privacy requirements.

Like a lobster shell, security has layers — review code before you run it.

aivk972mnajrtzwgnf0yhc893prxn845w6marchitecturevk972mnajrtzwgnf0yhc893prxn845w6mdiagramvk972mnajrtzwgnf0yhc893prxn845w6mdrawiovk972mnajrtzwgnf0yhc893prxn845w6mflowchartvk972mnajrtzwgnf0yhc893prxn845w6mgeneratorvk972mnajrtzwgnf0yhc893prxn845w6mlatestvk972mnajrtzwgnf0yhc893prxn845w6mnetworkvk972mnajrtzwgnf0yhc893prxn845w6msequencevk972mnajrtzwgnf0yhc893prxn845w6m
95downloads
1stars
3versions
Updated 2w ago
v1.0.2
MIT-0

drawio-generator

如何使用(标准流程)

Step 1:接收用户的流程描述(文字或文件上传)

Step 2:根据描述生成结构化 JSON(nodes + edges),将 JSON 展示给用户确认

Step 3:用户确认后,调用生成脚本:

python3 skills/drawio-generator/scripts/gen.py "图表标题" '{"title":"...","nodes":[...],"edges":[...]}' [类型]

Step 4:交付 .drawio 文件到输出目录,并告知用户:

用 draw.io 打开此文件(网页版 https://app.diagrams.net 或桌面版 App),如需微调请手动调整节点位置后保存。

⚠️ 生成结果非完美,可能存在线条重叠或间距不理想,需要在 draw.io 中手动微调。

输出目录

  • 默认:/Users/owen/Desktop/drawio-generator/
  • 可通过环境变量 DRAWIO_OUTPUT_DIR 或命令行 --output-dir 自定义

JSON 结构

{
  "title": "流程名称",
  "type": "flowchart",
  "nodes": [
    {"id": "0", "type": "start", "label": "开始"},
    {"id": "1", "type": "process", "label": "处理步骤"},
    {"id": "2", "type": "decision", "label": "判断条件?"},
    {"id": "3", "type": "end", "label": "结束"}
  ],
  "edges": [
    {"source": "0", "target": "1"},
    {"source": "1", "target": "2"},
    {"source": "2", "target": "3", "label": "是"},
    {"source": "2", "target": "1", "label": "否"}
  ]
}

节点 type 值

type形状
start椭圆
end椭圆
process圆角矩形
decision菱形
document文档形状
data平行四边形

edges.label 值

label含义
/ Y条件为真
/ N条件为假
普通顺序流

支持的图表类型

flowchart | sequence | network | architecture | hierarchy | function | deployment


文件说明

文件说明
scripts/gen.py标准生成脚本(必须使用,禁止直接调用 generator.py)
scripts/generator.py底层 XML 生成器(gen.py 内部调用)
scripts/parser.py输入解析(txt 直接读取,docx/pdf 需额外安装库)
references/drawio-xml-spec.mddraw.io XML 格式规范

依赖说明

  • 解析 .docx 需要:pip install python-docx
  • 解析 .pdf 需要:pip install pdfplumber

布局参数

参数默认值说明
CANVAS_WIDTH850画布宽度
_LAYER_GAP_Y120层间垂直间距
MAIN_X425主轴 X 坐标

Comments

Loading comments...