mermaid-canvas

Render Mermaid code into PNG images supporting all 27 Mermaid 11 chart types, with optional upload to Feishu docs, requiring no API keys.

This skill appears to be what it claims — it generates PNGs from Mermaid — but proceed with caution. Things to check before installing or using it: - Feishu upload: The skill advertises optional Feishu integration but declares no Feishu credentials. Confirm how upload is implemented in your OpenClaw environment (does it call a platform feishu_doc_media tool that already has credentials?). Do not supply unrelated secrets to this skill; instead verify the platform-level Feishu integration. - Remote resources and data exfiltration: The generated HTML loads mermaid from jsdelivr and the script uses securityLevel: 'loose'. That allows more permissive HTML/JS in the rendering page and could execute content embedded in diagrams. The fallback sends the diagram (base64-encoded) to mermaid.ink. Avoid rendering diagrams that contain sensitive information (passwords, API keys, private system details) because that data could be transmitted or executed remotely. - Hardening suggestions: If you control the environment, prefer serving mermaid locally (avoid CDN), set securityLevel to a stricter option (if available), or sanitize diagram text before rendering. Require an explicit, reviewed implementation for Feishu upload that documents how credentials are used. - Operational note: The script returns an HTML path and expects the platform 'browser' tool to load and snapshot it — confirm that the browser environment is sandboxed and that snapshots do not leak local files or agent secrets. If you can get answers about how Feishu uploads are implemented and can accept the runtime use of external CDNs/APIs (or replace them with offline alternatives), the skill is usable. If you need to render sensitive diagrams, do not use the default CDN/fallback without hardening.

Type: OpenClaw Skill Name: mermaid-canvas Version: 1.0.0 The skill provides Mermaid diagram rendering functionality but contains a high-risk configuration and external data transmission. Specifically, both SKILL.md and scripts/mermaid_render.py initialize Mermaid with 'securityLevel: loose', which is a known vulnerability that allows for XSS or potential remote execution within the browser environment used for rendering. Additionally, the script includes a fallback mechanism that exfiltrates diagram code to an external third-party API (https://mermaid.ink) if local rendering fails. While these behaviors are technically aligned with the stated purpose, the combination of a weakened security sandbox and external data transmission warrants a suspicious classification.