← Back to Skills Marketplace
Mermaid Workflow Skill
by
runmanfm-bit
· GitHub ↗
· v1.0.0
419
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install mermaid-workflow-skill
Description
生成Mermaid图表定义文件,调用Mermaid CLI转换为PNG,并将图片链接插入指定Markdown文件位置。
Usage Guidance
What to check before installing/using: 1) The skill needs Mermaid CLI (mmdc) and Node/npm; the registry metadata omitted that—install mmdc (or use npx) beforehand. 2) Inspect the included scripts yourself (they are plain Python) — they run subprocesses (mmdc or npx) and will modify Markdown files and may create a puppeteer config in your home directory. 3) The conversion uses Puppeteer with --no-sandbox to avoid sandbox errors; that flag reduces Chromium sandboxing and may be undesirable on multi-tenant hosts — avoid or constrain usage on sensitive systems (use a container/CI runner instead). 4) Run the quick_start in an isolated environment (local VM or container) the first time, and back up any Markdown files before using insertion features. 5) If you want to allow autonomous agent invocation, be aware it will be able to run the scripts which execute shell commands and write files locally. If these points are acceptable and you trust the package, the skill appears coherent otherwise; if you need higher assurance, request the package author to update registry metadata to declare required binaries and provide signed release details.
Capability Analysis
Type: OpenClaw Skill
Name: mermaid-workflow-skill
Version: 1.0.0
The skill's core purpose of creating, converting, and inserting Mermaid diagrams is benign. However, it is classified as 'suspicious' due to the explicit and repeated use of the `--no-sandbox` flag for Puppeteer/Chromium in `SKILL.md`, `quick_start.sh`, and `scripts/convert_mermaid.py`. This disables a critical security feature, making the system vulnerable to potential sandbox escapes if `mmdc` processes untrusted input. Additionally, `scripts/convert_mermaid.py` executes external commands via `subprocess.run` and `scripts/create_mermaid.py` embeds user input directly into Mermaid templates, which, without robust sanitization, could introduce command injection or rendering-based vulnerabilities, although no clear malicious intent for self-exploitation is observed. There is no evidence of data exfiltration, persistence, or other malicious activities.
Capability Assessment
Purpose & Capability
The SKILL.md and scripts clearly require Mermaid CLI (mmdc) and Python 3.8+, and the README/quick_start instruct installing @mermaid-js/mermaid-cli and configuring Puppeteer. However the registry metadata lists no required binaries or env vars — that's an incoherence: the skill will fail or behave unexpectedly unless mmdc/node/npm are present. Requesting no credentials is appropriate for the stated purpose.
Instruction Scope
Runtime instructions restrict actions to local file creation, invoking mmdc (or npx @mermaid-js/mermaid-cli) and modifying Markdown files. The scripts operate on local .mmd/.png/.md files, compute relative paths, copy files, and may create a puppeteer config in the user's home. There are no network endpoints or credential exfiltration steps in the scripts. The instruction set does ask the agent to run shell/python commands (exec examples) which will execute local subprocesses — expected for this utility but worth auditing.
Install Mechanism
No automatic install spec is provided (instruction-only + included scripts). The skill recommends using npm/npx to obtain mmdc; there are no downloads from untrusted URLs in the package. This is a lower-risk install mechanism, but it depends on the user installing third-party npm packages (mermaid-cli) which is expected.
Credentials
The skill requests no credentials or privileged environment variables, which is proportionate. It does mention optional environment variables for defaults in README, but the scripts do not require secrets. One caveat: the script may write a Puppeteer config file to the user's home (~/.mermaid-puppeteer-config.json) if invoked with create_config — this is reasonable for operation but should be expected by the user.
Persistence & Privilege
The skill is not marked always:true and does not claim to modify other skills or global agent settings. It can write files (templates, output .png/.mmd, puppeteer config) in local directories or home; this is normal for a file-generation utility. Autonomous invocation is allowed by default (not flagged here) but combine that with local filesystem writes when deciding to enable the skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mermaid-workflow-skill - After installation, invoke the skill by name or use
/mermaid-workflow-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
mermaid-workflow-skill v1.0.0
- 初始版本发布
- 支持技术路线图、系统架构图、流程图等8类Mermaid图表自动化处理
- 覆盖Mermaid定义、PNG转换、Markdown插入的完整工作流
- 包含丰富的模板与示例,方便快速上手
- 提供脚本化参数控制及故障排查、最佳实践说明
Metadata
Frequently Asked Questions
What is Mermaid Workflow Skill?
生成Mermaid图表定义文件,调用Mermaid CLI转换为PNG,并将图片链接插入指定Markdown文件位置。 It is an AI Agent Skill for Claude Code / OpenClaw, with 419 downloads so far.
How do I install Mermaid Workflow Skill?
Run "/install mermaid-workflow-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mermaid Workflow Skill free?
Yes, Mermaid Workflow Skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Mermaid Workflow Skill support?
Mermaid Workflow Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mermaid Workflow Skill?
It is built and maintained by runmanfm-bit (@runmanfm-bit); the current version is v1.0.0.
More Skills