excalidraw-diagram 安全扫描报告 — 可信 | ClawSafe

5 /100

excalidraw-diagram

Generate Excalidraw hand-drawn diagrams from natural language. Outputs .excalidraw JSON files and optionally exports to PNG via Playwright.

The excalidraw-diagram skill is a straightforward diagram-generation tool with no malicious behavior. All capabilities (filesystem write, network read, shell via Playwright) are declared in SKILL.md. The Python script is transparent: it reads a JSON file, renders it via a local HTML+Playwright pipeline, and writes a PNG output.

技能名称excalidraw-diagram

分析耗时33.3s

引擎pi

✓

可以安装

This skill is safe to use. No action required.

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md Step 4: writes .excalidraw files to cwd or user-specified path
网络访问	`READ`	`READ`	✓ 一致	SKILL.md Step 4.5: 需要联网 (CDN resources); export-png.py fetches unpkg.com for Rea…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md Step 4.5: python3 ~/.openclaw/.../export-png.py — launches Playwright h…
环境变量	`NONE`	`NONE`	—	No environment variable access in any file
技能调用	`NONE`	`NONE`	—	No cross-skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`READ`	`READ`	✓ 一致	SKILL.md Step 4.5: Playwright headless Chromium — declared as required dependenc…
数据库	`NONE`	`NONE`	—	No database access

2 项发现

🔗

中危外部 URL 外部 URL

https://excalidraw.com

README.md:7

🔗

中危外部 URL 外部 URL

http://127.0.0.1:

scripts/export-png.py:131

目录结构

7 文件 · 37.6 KB · 1253 行

Markdown 6f · 1080L Python 1f · 173L

├─ ▾ 📁 references

│ ├─ 📝 diagram-templates.md Markdown 208L · 5.4 KB

│ ├─ 📝 element-spec.md Markdown 176L · 3.5 KB

│ ├─ 📝 examples.md Markdown 350L · 11.1 KB

│ └─ 📝 headless-export.md Markdown 74L · 2.9 KB

├─ ▾ 📁 scripts

│ └─ 🐍 export-png.py Python 173L · 6.0 KB

├─ 📝 README.md Markdown 75L · 2.4 KB

└─ 📝 SKILL.md Markdown 197L · 6.3 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`playwright`	`*`	pip	否	Required for headless Chromium PNG export. Not pinned but widely-used, standard tooling.
`react@18 (CDN)`	`0.17.6 of @excalidraw/excalidraw`	unpkg.com CDN	否	Loaded from unpkg CDN in the headless render HTML; fully offline option is to use excalidraw.com import method

安全亮点

✓ All declared capabilities match actual code — no hidden functionality

✓ No credential harvesting or sensitive path access (~/.ssh, ~/.aws, .env)

✓ No data exfiltration — the pipeline is purely local (read JSON → render → write PNG)

✓ Local HTTP server is bound to 127.0.0.1 only, not exposed externally

✓ No base64 decoding, eval(), or obfuscated code

✓ No remote script execution (curl|bash, wget|sh) or unsigned pip installs

✓ HTML injection is contained: JSON is embedded via json.dumps (not innerHTML eval), and the page is served locally on a random port

✓ Dependencies (playwright, React, Excalidraw) are standard, open-source libraries loaded from a reputable CDN

✓ Clean file tree with no binary payloads or suspicious assets