Skillv1.1.0

ClawScan security

AHA Mermaid Diagram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 10, 2026, 6:15 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only Mermaid diagram guide whose requirements and instructions align with its stated purpose and do not request unrelated credentials or system privileges.
Guidance: This skill is a doc-style helper for Mermaid diagrams and appears coherent. Before using: (1) If you import Mermaid JS into web pages, prefer official release URLs and pinned versions (avoid implicit latest tags on CDNs). (2) When installing mermaid-cli via npm, confirm the package name/version is official. (3) Be cautious about rendering untrusted .mmd inputs in contexts that execute click handlers or embed external links; untrusted diagrams could include links or behaviors you don't want. Otherwise the skill's instructions and requirements are proportional to its purpose.

Purpose & Capability: okName/description (render Mermaid diagrams) match the provided instructions and reference material: HTML+CDN usage, mermaid-cli for exports, and many example diagram types. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okSKILL.md and references only instruct how to write Mermaid syntax, load Mermaid from a CDN, and optionally use the mermaid-cli to export files; they don't instruct reading arbitrary system files, harvesting environment variables, or sending data to hidden endpoints. Example 'click' links reference public docs/live editors, which is expected for interactive diagrams.
Install Mechanism: noteThis is instruction-only (no install spec). It recommends importing mermaid via jsdelivr CDN and installing @mermaid-js/mermaid-cli from npm — both are standard for this purpose. Loading remote JS from a CDN and installing npm packages are normal but carry the usual supply-chain/trust considerations (verify sources and versions).
Credentials: okThe skill declares no environment variables, credentials, or config paths. The examples do not attempt to access hidden env vars or secrets.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not instruct modifying other skills or system-wide agent settings.