An AI skill for OpenClaw that generates professional diagrams from natural language descriptions using EdrawMax AI APIs.
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its diagram-generation purpose, but its required downloader disables HTTPS verification and blindly saves remote files, so it should be reviewed before use.
Use this skill only if you are comfortable sending diagram descriptions to EdrawMax and saving returned files locally. Prefer non-sensitive prompts, verify the publisher, and avoid opening SVG outputs from untrusted networks until the downloader keeps HTTPS verification enabled.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker, compromised response URL, or unexpected remote endpoint could cause the agent to save tampered PNG/SVG content as if it were the generated diagram.
The downloader disables hostname and certificate validation, then reads bytes from the supplied remote URL and writes them locally. SKILL.md directs this downloader to run after successful API calls, so users do not get a safer verified-download path by default.
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
...
with urllib.request.urlopen(req, context=ctx, timeout=60) as resp:
data = resp.read()Keep HTTPS certificate verification enabled, require HTTPS and expected EdrawMax/OSS hosts, validate content type and size, and allow users to review URLs before downloading.
Diagram descriptions and generated diagram content may be processed and hosted by EdrawMax/OSS rather than staying only on the user's machine.
The skill explicitly sends the user's natural-language diagram description to EdrawMax's external API and returns provider-hosted file URLs. This is purpose-aligned and disclosed, but it is still a data boundary users should understand.
POST https://api.edrawmax.cn/api/ai/skills/generate-{type}
...
{"prompt": "<user description>", "lang": "cn", "platform": "web"}
...
Provide ... **Original OSS URLs** as backup linksUse non-sensitive prompts unless you are comfortable sharing the content with the EdrawMax service; disclose provider handling and retention expectations to users.
Users have less information to confirm that the package is officially published and maintained by the claimed provider.
The registry metadata does not provide a source repository or homepage for verifying the provenance of a skill that claims EdrawMax/Wondershare authorship.
Source: unknown Homepage: none
Verify the publisher through trusted EdrawMax/Wondershare channels before relying on the skill, especially because it sends prompts to an external API.