← Back to Skills Marketplace
263
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install prompt-to-drawio
Description
Generate and edit draw.io artifacts from natural-language prompts without a frontend. Use when the user asks for prompt-to-diagram workflows that need `.draw...
Usage Guidance
This skill appears to do what it claims (generate/edit/export draw.io diagrams using an LLM), but take these precautions before installing or running it:
- Be aware the CLI auto-loads the nearest .env (searches upward) by default and will populate process env vars. If you have sensitive secrets in a project .env, those may be read and (if used as input) sent to the model endpoint. Run with --no-dotenv or set DRAWIO_DOTENV_FILE explicitly to avoid accidental loading.
- The tool will ingest local files and URLs you pass with --file/--url and send their content to the model provider. Do not pass files that contain secrets or sensitive data unless you trust the provider.
- Check the startup configuration summary the script prints (it masks keys but reports presence) to verify which key/base URL will be used.
- If you plan to run inside an agent (in-session LLM mode), prefer that mode so the script does not need an external API key.
- Review and/or run the included script in a controlled environment first (no sensitive .env nearby) to confirm behavior. If you are uncomfortable with automatic .env loading, always use --no-dotenv and provide keys explicitly via secure means.
If you want, I can highlight the exact lines in the script that implement .env auto-loading, dotenv precedence, and the network fetches so you can review them more easily.
Capability Analysis
Type: OpenClaw Skill
Name: prompt-to-drawio
Version: 0.1.0
The skill bundle provides a CLI tool for generating and editing draw.io diagrams via LLM APIs, but it includes several high-risk capabilities. Specifically, the script `scripts/prompt_to_drawio.py` performs subprocess execution (`subprocess.run`) to invoke local binaries like `drawio`, `docker`, and `gh`, and it fetches arbitrary remote content via `urllib.request.urlopen` for URL-based context ingestion. Additionally, the script implements an aggressive configuration discovery mechanism (`bootstrap_project_env`) that searches for and loads `.env` files from the current working directory up through all parent directories, which could lead to unintended secret exposure. While these features are aligned with the stated purpose of diagram generation and rendering, the combination of shell, network, and broad file access qualifies the bundle as suspicious.
Capability Assessment
Purpose & Capability
Name/description align with what the code and SKILL.md do: generate/edit/export draw.io diagrams, ingest local files/URLs, lookup shape libraries, and run optional LLM-driven validation. Expected environment variables (API keys) are documented for standalone CLI mode.
Instruction Scope
Runtime instructions and the script ingest local files (text/pdf/image), fetch URLs, and by default auto-load the nearest .env upward from the current working directory. Those behaviors are within the declared functionality, but auto-loading a project .env and reading arbitrary context files means secrets or other sensitive project values can end up in the environment or be sent to remote model endpoints unless the user explicitly opts out.
Install Mechanism
No install spec in the registry (instruction-only). README suggests GitHub cloning or npx installer, and the script references public GitHub raw URLs for shape libraries and standard Docker image jgraph/drawio as fallback. No opaque external download URLs or extract-from-arbitrary-IP patterns were found.
Credentials
The skill does not require credentials to be declared up-front, but the CLI supports/looks for DRAWIO_LLM_API_KEY, OPENAI_API_KEY and several related vars and will auto-load a nearby .env into the process environment. Auto-loading .env files (without explicit --no-dotenv) can pull unrelated secrets (AWS keys, DB passwords, etc.) into the process. This is plausible for a CLI that needs an LLM key, but the default upward-search dotenv behavior is a proportionality risk if the user is not aware.
Persistence & Privilege
Skill is not marked always:true and does not declare system-wide configuration changes. It reads/writes files the user requests (out-drawio/out-image/backup) and prints a startup config summary; no evidence of modifying other skills or agent-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install prompt-to-drawio - After installation, invoke the skill by name or use
/prompt-to-drawio - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial ClawHub release.
Metadata
Frequently Asked Questions
What is Prompt to Drawio?
Generate and edit draw.io artifacts from natural-language prompts without a frontend. Use when the user asks for prompt-to-diagram workflows that need `.draw... It is an AI Agent Skill for Claude Code / OpenClaw, with 263 downloads so far.
How do I install Prompt to Drawio?
Run "/install prompt-to-drawio" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Prompt to Drawio free?
Yes, Prompt to Drawio is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Prompt to Drawio support?
Prompt to Drawio is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Prompt to Drawio?
It is built and maintained by Zhaofeng (@lzfxxx); the current version is v0.1.0.
More Skills