← 返回 Skills 市场
263
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install prompt-to-drawio
功能描述
Generate and edit draw.io artifacts from natural-language prompts without a frontend. Use when the user asks for prompt-to-diagram workflows that need `.draw...
安全使用建议
This skill appears to do what it claims (generate/edit/export draw.io diagrams using an LLM), but take these precautions before installing or running it:
- Be aware the CLI auto-loads the nearest .env (searches upward) by default and will populate process env vars. If you have sensitive secrets in a project .env, those may be read and (if used as input) sent to the model endpoint. Run with --no-dotenv or set DRAWIO_DOTENV_FILE explicitly to avoid accidental loading.
- The tool will ingest local files and URLs you pass with --file/--url and send their content to the model provider. Do not pass files that contain secrets or sensitive data unless you trust the provider.
- Check the startup configuration summary the script prints (it masks keys but reports presence) to verify which key/base URL will be used.
- If you plan to run inside an agent (in-session LLM mode), prefer that mode so the script does not need an external API key.
- Review and/or run the included script in a controlled environment first (no sensitive .env nearby) to confirm behavior. If you are uncomfortable with automatic .env loading, always use --no-dotenv and provide keys explicitly via secure means.
If you want, I can highlight the exact lines in the script that implement .env auto-loading, dotenv precedence, and the network fetches so you can review them more easily.
功能分析
Type: OpenClaw Skill
Name: prompt-to-drawio
Version: 0.1.0
The skill bundle provides a CLI tool for generating and editing draw.io diagrams via LLM APIs, but it includes several high-risk capabilities. Specifically, the script `scripts/prompt_to_drawio.py` performs subprocess execution (`subprocess.run`) to invoke local binaries like `drawio`, `docker`, and `gh`, and it fetches arbitrary remote content via `urllib.request.urlopen` for URL-based context ingestion. Additionally, the script implements an aggressive configuration discovery mechanism (`bootstrap_project_env`) that searches for and loads `.env` files from the current working directory up through all parent directories, which could lead to unintended secret exposure. While these features are aligned with the stated purpose of diagram generation and rendering, the combination of shell, network, and broad file access qualifies the bundle as suspicious.
能力评估
Purpose & Capability
Name/description align with what the code and SKILL.md do: generate/edit/export draw.io diagrams, ingest local files/URLs, lookup shape libraries, and run optional LLM-driven validation. Expected environment variables (API keys) are documented for standalone CLI mode.
Instruction Scope
Runtime instructions and the script ingest local files (text/pdf/image), fetch URLs, and by default auto-load the nearest .env upward from the current working directory. Those behaviors are within the declared functionality, but auto-loading a project .env and reading arbitrary context files means secrets or other sensitive project values can end up in the environment or be sent to remote model endpoints unless the user explicitly opts out.
Install Mechanism
No install spec in the registry (instruction-only). README suggests GitHub cloning or npx installer, and the script references public GitHub raw URLs for shape libraries and standard Docker image jgraph/drawio as fallback. No opaque external download URLs or extract-from-arbitrary-IP patterns were found.
Credentials
The skill does not require credentials to be declared up-front, but the CLI supports/looks for DRAWIO_LLM_API_KEY, OPENAI_API_KEY and several related vars and will auto-load a nearby .env into the process environment. Auto-loading .env files (without explicit --no-dotenv) can pull unrelated secrets (AWS keys, DB passwords, etc.) into the process. This is plausible for a CLI that needs an LLM key, but the default upward-search dotenv behavior is a proportionality risk if the user is not aware.
Persistence & Privilege
Skill is not marked always:true and does not declare system-wide configuration changes. It reads/writes files the user requests (out-drawio/out-image/backup) and prints a startup config summary; no evidence of modifying other skills or agent-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install prompt-to-drawio - 安装完成后,直接呼叫该 Skill 的名称或使用
/prompt-to-drawio触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial ClawHub release.
元数据
常见问题
Prompt to Drawio 是什么?
Generate and edit draw.io artifacts from natural-language prompts without a frontend. Use when the user asks for prompt-to-diagram workflows that need `.draw... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 263 次。
如何安装 Prompt to Drawio?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install prompt-to-drawio」即可一键安装,无需额外配置。
Prompt to Drawio 是免费的吗?
是的,Prompt to Drawio 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Prompt to Drawio 支持哪些平台?
Prompt to Drawio 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Prompt to Drawio?
由 Zhaofeng(@lzfxxx)开发并维护,当前版本 v0.1.0。
推荐 Skills