mermaid-canvas

This skill appears to be what it claims — it generates PNGs from Mermaid — but proceed with caution. Things to check before installing or using it: - Feishu upload: The skill advertises optional Feishu integration but declares no Feishu credentials. Confirm how upload is implemented in your OpenClaw environment (does it call a platform feishu_doc_media tool that already has credentials?). Do not supply unrelated secrets to this skill; instead verify the platform-level Feishu integration. - Remote resources and data exfiltration: The generated HTML loads mermaid from jsdelivr and the script uses securityLevel: 'loose'. That allows more permissive HTML/JS in the rendering page and could execute content embedded in diagrams. The fallback sends the diagram (base64-encoded) to mermaid.ink. Avoid rendering diagrams that contain sensitive information (passwords, API keys, private system details) because that data could be transmitted or executed remotely. - Hardening suggestions: If you control the environment, prefer serving mermaid locally (avoid CDN), set securityLevel to a stricter option (if available), or sanitize diagram text before rendering. Require an explicit, reviewed implementation for Feishu upload that documents how credentials are used. - Operational note: The script returns an HTML path and expects the platform 'browser' tool to load and snapshot it — confirm that the browser environment is sandboxed and that snapshots do not leak local files or agent secrets. If you can get answers about how Feishu uploads are implemented and can accept the runtime use of external CDNs/APIs (or replace them with offline alternatives), the skill is usable. If you need to render sensitive diagrams, do not use the default CDN/fallback without hardening.