← 返回 Skills 市场
Mermaid Workflow Skill
作者
runmanfm-bit
· GitHub ↗
· v1.0.0
419
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install mermaid-workflow-skill
功能描述
生成Mermaid图表定义文件,调用Mermaid CLI转换为PNG,并将图片链接插入指定Markdown文件位置。
安全使用建议
What to check before installing/using: 1) The skill needs Mermaid CLI (mmdc) and Node/npm; the registry metadata omitted that—install mmdc (or use npx) beforehand. 2) Inspect the included scripts yourself (they are plain Python) — they run subprocesses (mmdc or npx) and will modify Markdown files and may create a puppeteer config in your home directory. 3) The conversion uses Puppeteer with --no-sandbox to avoid sandbox errors; that flag reduces Chromium sandboxing and may be undesirable on multi-tenant hosts — avoid or constrain usage on sensitive systems (use a container/CI runner instead). 4) Run the quick_start in an isolated environment (local VM or container) the first time, and back up any Markdown files before using insertion features. 5) If you want to allow autonomous agent invocation, be aware it will be able to run the scripts which execute shell commands and write files locally. If these points are acceptable and you trust the package, the skill appears coherent otherwise; if you need higher assurance, request the package author to update registry metadata to declare required binaries and provide signed release details.
功能分析
Type: OpenClaw Skill
Name: mermaid-workflow-skill
Version: 1.0.0
The skill's core purpose of creating, converting, and inserting Mermaid diagrams is benign. However, it is classified as 'suspicious' due to the explicit and repeated use of the `--no-sandbox` flag for Puppeteer/Chromium in `SKILL.md`, `quick_start.sh`, and `scripts/convert_mermaid.py`. This disables a critical security feature, making the system vulnerable to potential sandbox escapes if `mmdc` processes untrusted input. Additionally, `scripts/convert_mermaid.py` executes external commands via `subprocess.run` and `scripts/create_mermaid.py` embeds user input directly into Mermaid templates, which, without robust sanitization, could introduce command injection or rendering-based vulnerabilities, although no clear malicious intent for self-exploitation is observed. There is no evidence of data exfiltration, persistence, or other malicious activities.
能力评估
Purpose & Capability
The SKILL.md and scripts clearly require Mermaid CLI (mmdc) and Python 3.8+, and the README/quick_start instruct installing @mermaid-js/mermaid-cli and configuring Puppeteer. However the registry metadata lists no required binaries or env vars — that's an incoherence: the skill will fail or behave unexpectedly unless mmdc/node/npm are present. Requesting no credentials is appropriate for the stated purpose.
Instruction Scope
Runtime instructions restrict actions to local file creation, invoking mmdc (or npx @mermaid-js/mermaid-cli) and modifying Markdown files. The scripts operate on local .mmd/.png/.md files, compute relative paths, copy files, and may create a puppeteer config in the user's home. There are no network endpoints or credential exfiltration steps in the scripts. The instruction set does ask the agent to run shell/python commands (exec examples) which will execute local subprocesses — expected for this utility but worth auditing.
Install Mechanism
No automatic install spec is provided (instruction-only + included scripts). The skill recommends using npm/npx to obtain mmdc; there are no downloads from untrusted URLs in the package. This is a lower-risk install mechanism, but it depends on the user installing third-party npm packages (mermaid-cli) which is expected.
Credentials
The skill requests no credentials or privileged environment variables, which is proportionate. It does mention optional environment variables for defaults in README, but the scripts do not require secrets. One caveat: the script may write a Puppeteer config file to the user's home (~/.mermaid-puppeteer-config.json) if invoked with create_config — this is reasonable for operation but should be expected by the user.
Persistence & Privilege
The skill is not marked always:true and does not claim to modify other skills or global agent settings. It can write files (templates, output .png/.mmd, puppeteer config) in local directories or home; this is normal for a file-generation utility. Autonomous invocation is allowed by default (not flagged here) but combine that with local filesystem writes when deciding to enable the skill.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mermaid-workflow-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/mermaid-workflow-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
mermaid-workflow-skill v1.0.0
- 初始版本发布
- 支持技术路线图、系统架构图、流程图等8类Mermaid图表自动化处理
- 覆盖Mermaid定义、PNG转换、Markdown插入的完整工作流
- 包含丰富的模板与示例,方便快速上手
- 提供脚本化参数控制及故障排查、最佳实践说明
元数据
常见问题
Mermaid Workflow Skill 是什么?
生成Mermaid图表定义文件,调用Mermaid CLI转换为PNG,并将图片链接插入指定Markdown文件位置。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 419 次。
如何安装 Mermaid Workflow Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mermaid-workflow-skill」即可一键安装,无需额外配置。
Mermaid Workflow Skill 是免费的吗?
是的,Mermaid Workflow Skill 完全免费(开源免费),可自由下载、安装和使用。
Mermaid Workflow Skill 支持哪些平台?
Mermaid Workflow Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mermaid Workflow Skill?
由 runmanfm-bit(@runmanfm-bit)开发并维护,当前版本 v1.0.0。
推荐 Skills