Skillv1.0.2

ClawScan security

An AI skill for OpenClaw that generates professional diagrams from natural language descriptions using EdrawMax AI APIs. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 1:36 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality and instructions match its stated purpose, but the included downloader disables TLS verification and downloads arbitrary remote URLs, which is a notable security risk and makes the package suspicious.
Guidance: This skill appears to do what it says, but exercise caution before using it: 1) The included download script disables TLS certificate checks — this is unsafe. Do not run it as-is in production; modify it to enable certificate validation (remove the lines that set check_hostname False and verify_mode CERT_NONE) or use a secure HTTP client that validates TLS. 2) Verify the API domain (api.edrawmax.cn) and confirm you trust that service. The script will download whatever URLs the API returns; if the API is compromised or spoofed, it could deliver malicious content. 3) Be cautious with downloaded SVGs (they can contain active content when opened in some viewers). Open outputs in a sandboxed environment if unsure. 4) Because the skill is proprietary and the source/homepage are not verifiable here, prefer to validate the provider (contact ws-business@wondershare.cn if needed) or run the code in an isolated environment before granting broader access. 5) If you plan to use this skill, remove or fix the TLS bypass and optionally restrict downloads to known hostnames (e.g., EdrawMax OSS domains).

Review Dimensions

Purpose & Capability: okName, description, endpoints, and bundled download helper align: this is a diagram-generation skill that calls EdrawMax AI endpoints and saves returned PNG/SVG locally. The included files (SKILL.md, API reference, and a downloader script) are coherent with the described purpose.
Instruction Scope: concernRuntime instructions tell the agent to POST to https://api.edrawmax.cn/api/ai/skills/..., then always run the included download script to fetch PNG and SVG URLs returned by the API. While expected, this grants the skill the ability to fetch and persist arbitrary remote content. The bundled script also disables SSL certificate verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE), which weakens transport security and could allow man-in-the-middle attacks or delivery of tampered content. The SKILL.md does not instruct additional unrelated data collection, but the combination of auto-download and disabled TLS is a scope risk.
Install Mechanism: okNo install spec is provided (instruction-only with a small helper script). Nothing is downloaded or installed during skill installation itself; the only code writes occur at runtime when the download script saves files to disk.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. That is proportional to the stated purpose. (Note: SKILL.md says the server extracts user_id from the X-User-ID header and that no auth is required.)
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges or modify other skills. It writes files to a local output directory only when the download script is executed.