handdraw-flowchart
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: handdraw-flowchart Version: 1.0.0 The skill bundle is a legitimate tool for converting natural-language process descriptions into hand-drawn style diagrams using Mermaid and Excalidraw. It utilizes Playwright to launch a headless browser for rendering and esbuild to dynamically bundle the necessary conversion libraries (mermaid, @excalidraw/excalidraw) at runtime. The script `scripts/render-mermaid-handdraw.mjs` includes security best practices such as enforcing Mermaid's 'strict' security level and sanitizing output filenames to prevent path traversal. While the skill requires significant permissions (filesystem access and browser execution), these capabilities are strictly aligned with its stated purpose, and no evidence of malicious intent, data exfiltration, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill's dependencies will run npm package installation and rely on external package provenance.
The skill depends on third-party npm packages. They are pinned and supported by a lockfile, so this is a normal supply-chain notice rather than a concern.
"dependencies": { "@excalidraw/excalidraw": "0.18.1", "@excalidraw/mermaid-to-excalidraw": "2.2.2", "esbuild": "0.28.0", "mermaid": "11.14.0", "playwright": "1.59.1" }Install from the provided lockfile in a normal project environment and avoid upgrading dependencies without retesting.
The skill may start a local browser process during rendering.
The renderer intentionally launches browser-based code to export images. This is disclosed and aligned with the diagram-rendering purpose.
The script uses browser execution because Excalidraw export utilities require DOM/canvas APIs. If Playwright has no bundled browser, the script tries common local Chrome/Chromium executable paths and honors `CHROME_PATH`.
Use a trusted local Chrome/Chromium path if setting CHROME_PATH, and run the renderer only for diagram files you intend to process.
The skill can create or overwrite diagram output files in the selected output directory.
The CLI writes generated output files to a user-specified directory. This is expected for a renderer, but users should choose output paths deliberately.
const outDir = path.resolve(args["out-dir"] || path.dirname(inputPath)); ... await fs.writeFile(mmdPath, `${source}\n`, "utf8"); ... await fs.writeFile(scenePath, `${JSON.stringify(result.scene, null, 2)}\n`, "utf8"); ... await fs.writeFile(pngPath, Buffer.from(result.pngBase64, "base64"));Direct output to a dedicated folder and avoid using protected or unrelated directories.