Interactive Doc Mapper
Security checks across malware telemetry and agentic risk
Overview
This skill appears to be a purpose-aligned local documentation generator that validates workflow JSON and renders a self-contained HTML map, with no evidence of credential use, network exfiltration, or destructive behavior.
This looks reasonable to use for local workflow documentation. Before installing or invoking it, be aware that it runs bundled Python scripts, reads workflow JSON or repository context, and writes persistent HTML/JSON files. Keep secrets and customer data out of the source JSON and generated HTML, and review outputs before sharing them.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill will run local Python code and create local output files.
The skill expects local execution of bundled Python helper scripts, which is central to its stated purpose and appears user-directed.
Run `python3 {baseDir}/scripts/validate_flow_doc.py --input <flows.json> --out <validation.json>` ... Run `python3 {baseDir}/scripts/generate_interactive_doc.py --input <flows.json> --out <workflow-map.html>`.Run the helpers from the installed skill directory, choose output paths intentionally, and inspect the generated HTML before sharing it.
Generated documentation could reveal internal architecture or sensitive workflow details if shared carelessly.
The skill may summarize repository internals into persistent JSON/HTML artifacts, but it includes explicit guidance to avoid sensitive data.
If the user did not provide JSON, derive a first draft from repo inspection ... Do not put credentials, raw tokens, cookies, customer data, private URLs, or secret environment values in the JSON or generated HTML.
Review the JSON and HTML for secrets, private URLs, customer data, and internal-only details before publishing or sending them outside the project.
The skill may not work on systems without python3, and users may not notice from metadata alone that local script execution is required.
The instructions require a local Python runtime even though the registry metadata declares no required binaries; this is an under-declared but purpose-aligned runtime dependency.
Run `python3 {baseDir}/scripts/validate_flow_doc.py --input <flows.json> --out <validation.json>`.Confirm python3 is available and review the bundled scripts if you require high assurance before running them.