YMind Chat Visualizer
v1.0.5Turn AI chat transcripts into interactive D3.js thinking maps with reasoning nodes, thinking shifts, and action items. Invoke this skill when the user shares...
⭐ 0· 97·0 current·0 all-time
byStella Yu@yslenjoy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (visualize chat transcripts into D3 maps) align with the included scripts and instructions: fetch-chat.py, render-html.py, run.sh, templates, and graph-schema.md implement fetching, parsing, graph extraction guidance, and rendering. The use of Playwright and requests is explainable for fetching public share pages and taking screenshots.
Instruction Scope
SKILL.md explicitly instructs the agent to fetch public share pages (or accept pasted text), create run directories under ~/ymind-ws (or YMIND_DIR), write raw_chat.json/meta.json/graph.json/graph.html, and rebuild a workspace index. It also instructs running a local version check (contacts GitHub) and sometimes launching Playwright in headed mode and applying navigator.webdriver overrides to bypass Cloudflare. These are consistent with the goal but noteworthy: the skill will open network connections to fetch pages and may run a real browser environment to access share pages protected by anti-bot services.
Install Mechanism
No automated install spec in the registry; code is provided and requires Python 3.10+. requirements.txt lists requests and playwright (standard). There are no opaque remote installers or arbitrary download URLs in the install spec. Playwright installation (if performed) will download browser binaries (Chromium) as expected.
Credentials
The skill requests no secrets or special environment variables in metadata. It uses a workspace directory (YMIND_DIR or default ~/ymind-ws) and optionally reads the YMIND_DIR env var per the docs; these are proportionate to keeping local session files. No API keys, tokens, or unrelated credentials are requested.
Persistence & Privilege
The skill writes persistent files under the workspace (default ~/ymind-ws): run folders, raw_chat.json, graph.json, graph.html, graph.png, and the workspace index. always:false. It does not modify other skills' configs. Users should be aware that conversation data is stored locally by default and that the rendered HTML loads third-party CDN resources when opened.
Scan Findings in Context
[playwright-headed-cloudflare-bypass] expected: fetch-chat.py intentionally launches Playwright in headed mode and injects a script to set navigator.webdriver=false to bypass Cloudflare/anti-bot checks for public share pages. This is noisy but expected for robust fetching of share pages.
[external-cdns-in-templates] expected: Templates load D3.js, html2canvas, and Google Fonts from public CDNs. This is expected for rendering the interactive visualization but means opening graph.html online will cause third-party network requests (possible privacy leak). README documents this behavior.
[version-check-github-api] expected: check-version.py queries the GitHub releases API to detect updates. This network call is expected by the SKILL.md's update check.
Assessment
This skill is internally consistent with its stated purpose: it fetches public chat share pages (or accepts pasted conversations), extracts a thinking graph, then renders local HTML visualizations. Before installing or running: 1) Don't paste or fetch private/sensitive chats unless you want them saved under the workspace (default ~/ymind-ws) — you can override YMIND_DIR. 2) The fetch path may launch Playwright and a real browser (headed mode) to bypass Cloudflare; installing Playwright will download Chromium. 3) Rendered HTML references external CDNs (D3, fonts); opening the HTML while online may contact those CDNs and potentially leak metadata — if this is a concern, host libraries locally or view offline. 4) The skill performs harmless network calls for fetching shared pages and optional version checks (GitHub). 5) If you want extra assurance, inspect or run the Python scripts in a sandbox/virtualenv before giving the agent permission to run them.Like a lobster shell, security has layers — review code before you run it.
latestvk973cqzdytks1hr28t8mw9487d847zx6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.