Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Excalidraw Handdraw
v0.1.0根据提示词生成手绘风格图表的 skill。用于:(1) 创建架构图、流程图、ER 图等 Excalidraw 手绘风格图表 (2) 通过 Docker 本地运行 canvas 服务器 (3) 生成 PNG/SVG 图片 (4) 保存图片到指定目录 (5) 将图表插入或替换到文件指定位置 (6) 支持中文手写字体。...
⭐ 0· 112·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (generate Excalidraw-style diagrams, export PNG/SVG, save/insert into files) is plausible, but the skill claims to start/stop a Docker canvas, run Playwright exports, and call local scripts (./scripts/*.sh). The package contains no scripts, no install spec, and declares no required binaries (Docker, browser/Playwright). That mismatch means the skill as published cannot perform its tasks without external artifacts and is not self-contained.
Instruction Scope
Runtime instructions tell the agent to run shell scripts (./scripts/start-canvas.sh, export/save/insert scripts), call docker ps and curl localhost:3000, and edit files (sed/insert/replace). Those steps imply executing arbitrary local code and modifying repository files; the SKILL.md gives the agent broad discretion to run and write files but does not ship or show the scripts it expects. This is scope creep relative to an instruction-only skill and could lead to unexpected file modification or execution if the referenced scripts are present on the host.
Install Mechanism
There is no install spec (instruction-only), yet the instructions require system-level components (Docker, a running canvas container, Playwright/browser) and local helper scripts. The absence of an install mechanism or bundled scripts is inconsistent and increases risk: the skill relies on out-of-band artifacts that may be arbitrary and unreviewed.
Credentials
The skill declares no required env vars or credentials, which superficially seems safe — but the instructions expect access to the local filesystem and to Docker (socket) and local HTTP (localhost:3000). Those capabilities are not documented in requires.* metadata. The skill therefore under-declares the privileges it needs (ability to execute scripts, write files, access Docker and a browser), which is a proportionality and transparency problem.
Persistence & Privilege
always:false and normal model invocation are fine. However, the instructions instruct modifying files in-place (inserting/replacing images in Markdown) and running scripts on the host. While not an elevated platform privilege, these behaviors require file-system and process execution privileges and should be explicitly audited before running.
Scan Findings in Context
[no_regex_findings] expected: The static regex scanner found nothing because this is an instruction-only skill with no code files. That absence is expected but reduces static assurance — the runtime instructions themselves are the primary surface to review.
What to consider before installing
Do not run this skill as-is without inspection. The SKILL.md expects local scripts (./scripts/*.sh), Docker, and Playwright but none of these artifacts or an install plan are included. Before installing or invoking: (1) Verify the repository actually contains the referenced ./scripts and inspect their contents line-by-line for unsafe commands. (2) Ensure Docker and Playwright (or a browser) are intentionally installed and run the canvas in a sandbox or disposable environment. (3) Back up any files the skill may modify (Markdown/docs) because the scripts perform in-place insert/replace operations. (4) Prefer a version of the skill that bundles or documents its install steps and dependencies, or ask the publisher to supply the missing scripts and an explicit install manifest. If you cannot audit the scripts, run the workflow inside an isolated VM/container to limit risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97aa49z52qj2e5akn6bm0s1yh83fy9j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.