ClawHub
Back to skill
v1.0.0

Corespeed Excalidraw Rendering

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:25 AM.

Analysis

The skill does what it claims, but its setup asks users to run an unpinned remote installer script, so it should be reviewed before installation.

GuidanceInstall only if you trust the brow project and are comfortable running its installer. For safer use, inspect the install script first or install brow from a pinned, verifiable release, then use the skill for user-requested Excalidraw rendering or screenshots.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
curl -fsSL https://raw.githubusercontent.com/corespeed-io/brow/main/install.sh | bash

The setup path executes a remote installer script directly from GitHub's mutable main branch, with no pinned release, checksum, or reviewed local installer artifact.

User impactIf the remote installer or upstream repository changes or is compromised, installing the skill dependency could run unexpected code on the user's machine.
RecommendationReview the installer before running it, prefer a pinned release or package manager install, and use checksums or signed artifacts where available.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
Before first render, install the managed browser (safe to re-run):

```bash
brow browser install
```

The skill requires a local command that downloads and installs a managed browser. This is consistent with headless rendering, but users should understand it adds executable browser components locally.

User impactThe tool may download and store a browser on the local machine before rendering images or screenshots.
RecommendationRun setup only from a trusted environment and confirm where the browser cache is stored if local disk changes matter.