Mindmap Generator

Generates visual mindmap images from conversations, goals, decisions, and daily priorities — delivered as PNG images viewable directly in Telegram. Use when...

This skill appears to do what it says (generate Mermaid mindmaps and send them to Telegram), but there are a few important inconsistencies and operational notes you should consider before installing or enabling it: - TELEGRAM_BOT_TOKEN is required at runtime (used in scripts and README) but is not declared in the skill metadata or SKILL.md. Do not run the skill until you are ready to provide a bot token for a bot you control. Treat that token as sensitive. - The skill expects node and npx (declared). It also calls curl and may rely on a local/global mmdc binary; if mmdc is not installed it will run 'npx -y @mermaid-js/mermaid-cli', which downloads packages from npm at runtime. If you have supply-chain concerns, pre-install @mermaid-js/mermaid-cli in a controlled environment rather than letting npx fetch it. - All rendered images and any fallback text are sent to Telegram via the Bot API. Anything the agent includes in the mindmap (including meeting notes, transcripts, or other context) will be transmitted to Telegram servers. If the data is sensitive, consider using a private bot/account or avoid sending through Telegram. - The skill's SKILL.md instructs the agent to use calendar/memory/voice transcript context; ensure you are comfortable with the agent exposing those contexts to the bot-mediated delivery channel. - Operational recommendations: update the skill metadata to declare TELEGRAM_BOT_TOKEN and mention 'curl' as a dependency; run the scripts in a sandboxed environment first; verify the bot token scope and that the bot only has access to chats you expect; and, if you prefer, pre-install mermaid-cli to avoid runtime npx installs. Given these inconsistencies (missing declared env var and an undeclared runtime dependency), treat this skill as suspicious until the manifest is corrected and you confirm the deployment/runtime policy for npm downloads and Telegram bot usage.

Type: OpenClaw Skill Name: mindmap-generator Version: 1.0.0 The skill's primary function to generate and send mindmaps via Telegram is benign, but it contains suspicious elements and vulnerabilities. The `scripts/render_mindmap.sh` script attempts to load the `mmdc` executable from `/tmp/mmdc-test/node_modules`, which is an unusual and potentially exploitable search path that could allow an attacker to substitute a malicious executable. Furthermore, the `SKILL.md` instructions for the agent to `echo "$MERMAID_CONTENT" > /tmp/mindmap_input.mmd` introduce a prompt injection vulnerability, as a sophisticated agent could potentially be coerced into injecting shell commands into `$MERMAID_CONTENT`, leading to arbitrary code execution. The use of `npx -y` to auto-install `@mermaid-js/mermaid-cli` also presents a supply chain risk by bypassing user confirmation.