Scan Report
5 /100
mindflow
Converts text, Markdown files, or Txt files into mind map images using markmap and puppeteer
The 'mindflow' skill is a legitimate text-to-mindmap converter that uses markmap and puppeteer. The JavaScript implementation is straightforward and matches its documented purpose.
Safe to install
No action needed. The skill is safe to use.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Dependencies not version-pinned Supply Chain | SKILL.md:13 |
| Info | Puppeteer sandbox flags Priv Escalation | scripts/html-to-image.js:287 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | Line 302: fs.readFileSync(options.input, 'utf-8') |
| Filesystem | WRITE | WRITE | ✓ Aligned | Line 331: screenshotOptions.path = outputPath |
| Network | NONE | NONE | — | No outbound network calls; puppeteer internal browser networking only |
| Shell | NONE | NONE | — | No subprocess/exec calls found |
File Tree
2 files · 17.3 KB · 574 lines JavaScript 1f · 456L
Markdown 1f · 118L
├─
▾
scripts
│ └─
html-to-image.js
JavaScript
└─
SKILL.md
Markdown
Dependencies 4 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
puppeteer | * | npm | No | Version not pinned in documentation |
markmap-cli | * | npm | No | Version not pinned in documentation |
markmap-lib | * | npm | No | Version not pinned in documentation |
markmap-render | * | npm | No | Version not pinned in documentation |
Security Positives
✓ Code is clean, well-structured, and readable
✓ No obfuscation, base64 encoding, or eval() usage
✓ No credential harvesting or sensitive data access
✓ No network exfiltration or C2 communication
✓ No hidden functionality - implementation matches documentation
✓ Input validation present for file existence and type
✓ Error handling with try/finally blocks
✓ No reverse shell or RCE capabilities