Back to skill

Security audit

An AI skill for OpenClaw that generates professional diagrams from natural language descriptions using EdrawMax AI APIs.

Security checks across malware telemetry and agentic risk

Overview

This diagram skill does what it claims, but its required downloader saves remote files with TLS verification disabled and without limiting downloads to trusted diagram hosts.

Install only if you are comfortable sending diagram descriptions to EdrawMax and saving returned files locally. Avoid sensitive prompts, review returned URLs before use, and be cautious opening downloaded SVG files until the downloader enforces normal HTTPS verification and restricts downloads to expected diagram hosts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill clearly performs network operations by instructing calls to a remote API, yet no declared permissions are present. This creates a transparency and governance gap: users and platforms cannot accurately evaluate or constrain the skill's data egress behavior before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is diagram generation, but the skill also instructs downloading remote files to local disk, which expands its effective capability beyond simple API generation. Because the finding also notes SSL verification may be disabled in the associated download path, this can expose users to man-in-the-middle tampering and unsafe file retrieval not disclosed by the skill description.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script will fetch attacker-controlled content from arbitrary URLs and persist it to local disk, even though the skill is supposed to download diagram artifacts from EdrawMax APIs. This broad downloader behavior expands the trust boundary and can be abused for SSRF-style internal network access, retrieval of unexpected content, or storing malicious files under the guise of diagram generation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The downloader accepts any user-supplied URL without verifying that it belongs to the service the skill claims to use. In a skill context, this makes the tool more dangerous because a natural-language workflow intended for diagram generation can be turned into a generic network fetch primitive against arbitrary hosts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs that generated PNG/SVG files should always be downloaded and written locally, but it does not require an explicit user-facing notice or consent for file creation. Silent local writes can surprise users, create storage/privacy risks, and become more dangerous if remote URLs are ever tampered with or redirected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends the user's natural-language diagram description to a third-party remote API without an explicit privacy or network disclosure. Users may include sensitive project plans, internal workflows, or business data in prompts, so undisclosed transmission can cause confidentiality and compliance issues.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API reference explicitly states that identity is derived from the X-User-ID header while also stating that no authentication is required. If the backend trusts this header without verifying the caller, any client can impersonate another user by sending an arbitrary X-User-ID, enabling unauthorized access, quota abuse, or attribution spoofing. In an agent skill context, this is especially dangerous because the integration may be treated as a trusted backend service and downstream callers may assume user binding is secure when it is not.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented endpoints transmit arbitrary natural-language prompts to a remote generation service, but the reference provides no privacy, retention, or sensitive-data handling guidance. Users may submit proprietary business plans, internal workflows, personal data, or confidential project details assuming local processing, causing unintended disclosure to a third-party service or storage backend. Because this skill is specifically designed to turn free-form descriptions into diagrams, the chance of sensitive operational content being pasted into prompts is high.

Missing User Warnings

High
Confidence
99% confidence
Finding
TLS certificate validation and hostname checks are explicitly disabled, allowing a man-in-the-middle attacker to intercept or replace the downloaded files without detection. Because the tool writes the response directly to disk and presents it as a generated diagram artifact, users may trust tampered content or malicious payloads delivered through compromised network paths.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.