An AI skill for OpenClaw that generates professional diagrams from natural language descriptions using EdrawMax AI APIs.
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s diagram workflow is coherent, but its downloader disables HTTPS verification before saving returned image files, so users should review it before use.
Review the downloader before installing or using this skill. It appears focused on diagram generation, but you should avoid sensitive prompts and preferably fix the downloader to verify HTTPS certificates and restrict downloaded URLs before opening generated SVG/PNG files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or unexpected URL response could cause the skill to save tampered or untrusted PNG/SVG files as generated diagrams.
The helper downloads files from supplied URLs while explicitly disabling HTTPS certificate and hostname checks, and the code does not visibly restrict URLs to expected HTTPS/OSS domains.
ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE; req = urllib.request.Request(url, headers={"User-Agent": "EdrawMax-Skill/2.0"})Keep TLS verification enabled, restrict downloads to expected HTTPS provider domains, validate content type and size, and treat downloaded SVG files as untrusted unless verified.
Using the skill will run local Python code and create local output files after diagram generation.
The skill explicitly executes a bundled Python helper as part of its normal workflow. This is disclosed and purpose-aligned, but users should know local code runs.
After a successful API call, **always** run the download script to save the images locally: python <skill-path>/scripts/download_diagram.py --png-url "<png_url>" --svg-url "<svg_url>"
Only run the helper when you requested a diagram, and review or update the downloader before relying on it in sensitive environments.
Diagram prompts may include business processes, project plans, or other private details that leave the local environment.
The user's diagram description is sent to an external EdrawMax API. This is disclosed and necessary for the skill's function, but it is still an external data flow.
POST https://api.edrawmax.cn/api/ai/skills/generate-{type} ... {"prompt": "<user description>", "lang": "cn", "platform": "web"}Avoid including secrets or sensitive internal details in prompts unless you are comfortable with EdrawMax processing them and have reviewed the provider's terms.