Scan Report
25 /100
contextweave-diagrams
AI-powered diagram and complex information visualization tool based on ContextWeave
This is a documentation-only skill with no implementation scripts, offering minimal attack surface but exhibiting a doc/code mismatch due to referenced scripts that don't exist in the package.
Safe to install
This skill should not be deployed until the implementation scripts (generate_contextweave.cjs, cw_client.cjs) are provided and reviewed. The SKILL.md references scripts that are absent from the package.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Medium | Referenced implementation scripts are absent Doc Mismatch | SKILL.md:1 |
| Low | Allowed tools declaration exceeds deliverable Priv Escalation | SKILL.md:83 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | NONE | ✓ Aligned | SKILL.md: reads input_file only, but scripts are absent |
| Network | READ | NONE | ✓ Aligned | SKILL.md: POSTs to CONTEXTWEAVE_API_URL only, but scripts are absent |
| Shell | WRITE | NONE | ✓ Aligned | SKILL.md: runs 'node scripts/generate_contextweave.cjs', but scripts are absent |
| Environment | READ | NONE | ✓ Aligned | SKILL.md: reads CONTEXTWEAVE_MCP_API_KEY and CONTEXTWEAVE_API_URL, but scripts a… |
File Tree
1 files · 9.1 KB · 180 lines Markdown 1f · 180L
└─
SKILL.md
Markdown
Security Positives
✓ SKILL.md explicitly restricts backend to CONTEXTWEAVE_API_URL env var — no arbitrary network targets
✓ SKILL.md mandates credentials from env vars only — no local directory scanning for API keys
✓ SKILL.md requires absolute paths only for file operations — no relative path traversal risk
✓ SKILL.md restricts outbound data to only drawing-request-relevant payload
✓ No scripts, binary files, or sensitive files are present in the package — zero active malware surface
✓ No IOCs (IPs, domains, hashes) detected in the package