ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

An AI skill for OpenClaw that generates professional diagrams from natural language descriptions using EdrawMax AI APIs.

v1.0.2

Generate diagrams from natural language using EdrawMax AI APIs. Supports four diagram types: flowchart (流程图), infographic (信息图), Gantt chart (甘特图), and mind...

0· 160·0 current·0 all-time
byEdrawMax-AI@xkweimeng·duplicate of @xkweimeng/edrawmax-diagram
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, endpoints, and bundled download helper align: this is a diagram-generation skill that calls EdrawMax AI endpoints and saves returned PNG/SVG locally. The included files (SKILL.md, API reference, and a downloader script) are coherent with the described purpose.
!
Instruction Scope
Runtime instructions tell the agent to POST to https://api.edrawmax.cn/api/ai/skills/..., then always run the included download script to fetch PNG and SVG URLs returned by the API. While expected, this grants the skill the ability to fetch and persist arbitrary remote content. The bundled script also disables SSL certificate verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE), which weakens transport security and could allow man-in-the-middle attacks or delivery of tampered content. The SKILL.md does not instruct additional unrelated data collection, but the combination of auto-download and disabled TLS is a scope risk.
Install Mechanism
No install spec is provided (instruction-only with a small helper script). Nothing is downloaded or installed during skill installation itself; the only code writes occur at runtime when the download script saves files to disk.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportional to the stated purpose. (Note: SKILL.md says the server extracts user_id from the X-User-ID header and that no auth is required.)
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges or modify other skills. It writes files to a local output directory only when the download script is executed.
What to consider before installing
This skill appears to do what it says, but exercise caution before using it: 1) The included download script disables TLS certificate checks — this is unsafe. Do not run it as-is in production; modify it to enable certificate validation (remove the lines that set check_hostname False and verify_mode CERT_NONE) or use a secure HTTP client that validates TLS. 2) Verify the API domain (api.edrawmax.cn) and confirm you trust that service. The script will download whatever URLs the API returns; if the API is compromised or spoofed, it could deliver malicious content. 3) Be cautious with downloaded SVGs (they can contain active content when opened in some viewers). Open outputs in a sandboxed environment if unsure. 4) Because the skill is proprietary and the source/homepage are not verifiable here, prefer to validate the provider (contact ws-business@wondershare.cn if needed) or run the code in an isolated environment before granting broader access. 5) If you plan to use this skill, remove or fix the TLS bypass and optionally restrict downloads to known hostnames (e.g., EdrawMax OSS domains).

Like a lobster shell, security has layers — review code before you run it.

latestvk97d47vpaknzrawzh5xv8edkth82tjeq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments