Back to skill
Skillv1.0.0
ClawScan security
Publish Ascii Excalidraw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 3:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested actions, files, and instructions are consistent with converting ASCII diagrams into Excalidraw JSON and do not ask for unrelated credentials or risky installs.
- Guidance
- This skill appears internally consistent and low-risk, but check two practical things before installing or running it: (1) ensure Python is available in the runtime and that the helper script is executed from the expected location (the SKILL.md references ~/.skills/ascii-excalidraw/scripts/merge_modules.py while the package includes scripts/merge_modules.py), and (2) only merge module JSON files generated by this skill or other trusted sources — merging untrusted JSON could introduce unwanted elements or references into the final .excalidraw file. If you want extra safety, run the merging step in a sandbox or inspect module JSON files before merging.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior in SKILL.md and the included helper script. The workflow, temporary files, and merge script are all coherent with converting ASCII modules into a final .excalidraw file.
- Instruction Scope
- noteSKILL.md stays focused on parsing, layout planning, producing module JSON files, and merging them. It instructs writing temp files under /tmp and invoking a helper script at ~/.skills/ascii-excalidraw/scripts/merge_modules.py — a reasonable operational detail but a path assumption: the included script is present in the package as scripts/merge_modules.py, so the agent or installer must place it at the expected ~/.skills path or call the packaged script instead. The instructions do not direct reading unrelated system files or exfiltrating data.
- Install Mechanism
- okNo install spec; this is instruction-only plus a small local Python script included in the package. There are no downloads or external install URLs and the script contains no network or exec calls beyond normal file I/O.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The requested filesystem access (writing temporary module JSON and writing the final .excalidraw file) is proportionate to the stated purpose.
- Persistence & Privilege
- okThe skill does not request always-on presence, does not modify other skills or system settings, and only performs normal file writes for module/temp and output files.