handdraw-flowchart
PassAudited by ClawScan on May 9, 2026.
Overview
This skill appears purpose-aligned: it locally renders Mermaid diagrams into Excalidraw and PNG files, with normal caution around npm dependencies and browser-based rendering.
This looks safe to use for generating diagrams. Before installing, be comfortable with running npm install and a local Node/Playwright renderer, and choose a dedicated output directory for generated files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill's dependencies will run npm package installation and rely on external package provenance.
The skill depends on third-party npm packages. They are pinned and supported by a lockfile, so this is a normal supply-chain notice rather than a concern.
"dependencies": { "@excalidraw/excalidraw": "0.18.1", "@excalidraw/mermaid-to-excalidraw": "2.2.2", "esbuild": "0.28.0", "mermaid": "11.14.0", "playwright": "1.59.1" }Install from the provided lockfile in a normal project environment and avoid upgrading dependencies without retesting.
The skill may start a local browser process during rendering.
The renderer intentionally launches browser-based code to export images. This is disclosed and aligned with the diagram-rendering purpose.
The script uses browser execution because Excalidraw export utilities require DOM/canvas APIs. If Playwright has no bundled browser, the script tries common local Chrome/Chromium executable paths and honors `CHROME_PATH`.
Use a trusted local Chrome/Chromium path if setting CHROME_PATH, and run the renderer only for diagram files you intend to process.
The skill can create or overwrite diagram output files in the selected output directory.
The CLI writes generated output files to a user-specified directory. This is expected for a renderer, but users should choose output paths deliberately.
const outDir = path.resolve(args["out-dir"] || path.dirname(inputPath)); ... await fs.writeFile(mmdPath, `${source}\n`, "utf8"); ... await fs.writeFile(scenePath, `${JSON.stringify(result.scene, null, 2)}\n`, "utf8"); ... await fs.writeFile(pngPath, Buffer.from(result.pngBase64, "base64"));Direct output to a dedicated folder and avoid using protected or unrelated directories.