Generate valid FlowZap Code (.fz) diagrams from natural-language requests,
validate them, and return shareable FlowZap playground URLs.
This skill is designed to be paired with the flowzap-mcp server. The skill
gives the agent FlowZap-specific diagram knowledge and output rules; the MCP
server provides the actual tools.
SKILL.md plus reference files. It
does not execute code by itself.
flowzap-mcp server runs locally on the user's machine over stdio.
https://flowzap.xyz.
MCP package. Only generated FlowZap Code is sent to FlowZap public endpoints
when validation or playground creation is requested.
This setup has two parts:
to produce correct FlowZap Code.
playground URLs, diff diagrams, and apply structured changes.
Recommended:
npx skills add flowzap-xyz/flowzap-mcp --skill flowzap-diagrams
If your agent does not support skills.sh, install this bundle through your
agent's skill manager or by copying the folder into the agent's local skills
directory.
Manual locations:
.claude/skills/flowzap-diagrams/SKILL.md
.windsurf/skills/flowzap-diagrams/SKILL.md
.cursor/skills/flowzap-diagrams/SKILL.md
If the FlowZap MCP server is not already configured, install it:
# Claude Code
claude mcp add --transport stdio flowzap -- npx -y flowzap-mcp@1.3.6
# Or add to .mcp.json / claude_desktop_config.json / cursor / windsurf config:
{
"mcpServers": {
"flowzap": {
"command": "npx",
"args": ["-y", "flowzap-mcp@1.3.6"]
}
}
}
The pinned version 1.3.6 can be verified against the npm registry:
| Field | Value |
|-------|-------|
| npm | flowzap-mcp@1.3.6 |
| Integrity (SHA-512) | sha512-9pnsETVvbCj5+cDEbiwRBWbqaA+FDMIJFU/vylXCnJOAt6nuvlFQf3/M8WI6EeBoVtGw/OyBZtJTQSjFUh4U0w== |
| Shasum | 86a434a49f4ec9e6fae76cc34acb73f357e81b1f |
| Source | github.com/flowzap-xyz/flowzap-mcp |
| License | MIT |
To verify locally before use:
npm view flowzap-mcp@1.3.6 dist.integrity dist.shasum
Compatible tools: Claude Desktop, Claude Code, Cursor, Windsurf, OpenAI Codex,
Warp, Zed, Cline, Roo Code, Continue.dev, Sourcegraph Cody.
Not compatible: Replit, Lovable.dev.
Without the MCP server, this skill can still help an agent draft FlowZap Code,
but it cannot validate diagrams, create playground URLs, or use the FlowZap
tooling workflow described below.
| Tool | Purpose |
|------|---------|
| flowzap_validate | Check .fz syntax before sharing |
| flowzap_create_playground | Get a shareable playground URL |
| flowzap_get_syntax | Retrieve full DSL docs at runtime |
| flowzap_export_graph | Export diagram as structured JSON (lanes, nodes, edges) |
| flowzap_artifact_to_diagram | Parse HTTP logs / OpenAPI / code → diagram + playground URL |
| flowzap_diff | Structured diff between two .fz versions |
| flowzap_apply_change | Patch a diagram (insert/remove/update nodes/edges) |
FlowZap Code is not Mermaid, not PlantUML. It is a unique DSL offering a simple syntax for a triple-view option to workflow, sequence and architecture diagrams.
| Shape | Use for |
|-------|---------|
| circle | Start / End events |
| rectangle | Process steps / actions |
| diamond | Decisions (Yes/No branching) |
| taskbox | Assigned tasks (owner, description, system) |
n1, n2, n3 …
label:"Text"
[label="Text"]
n1.handle(right) -> n2.handle(left)
left, right, top, bottom
sales.n5.handle(top)
# Label comment on the same line as the opening brace
loop [condition] n1 n2 n3 — flat, inside a lane block
label="Text" on nodes (must be label:"Text").
label:"Text" on edges (must be [label="Text"]).
# Display Label per lane.
loop outside a lane's braces.
taskbox shape unless the user explicitly requests it.
Single lane:
process { # Process
n1: circle label:"Start"
n2: rectangle label:"Step"
n3: circle label:"End"
n1.handle(right) -> n2.handle(left)
n2.handle(right) -> n3.handle(left)
}
Two lanes with cross-lane edge:
user { # User
n1: circle label:"Start"
n2: rectangle label:"Submit"
n5: rectangle label:"Receive result"
n1.handle(right) -> n2.handle(left)
n2.handle(bottom) -> app.n3.handle(top) [label="Send"]
}
app { # App
n3: rectangle label:"Process"
n4: rectangle label:"Respond"
n3.handle(right) -> n4.handle(left)
n4.handle(top) -> user.n5.handle(bottom) [label="Result"]
}
Decision branch:
flow { # Flow
n1: rectangle label:"Check"
n2: diamond label:"OK?"
n3: rectangle label:"Fix"
n4: rectangle label:"Proceed"
n1.handle(right) -> n2.handle(left)
n2.handle(bottom) -> n3.handle(top) [label="No"]
n2.handle(right) -> n4.handle(left) [label="Yes"]
}
For the full DSL specification and advanced multi-lane examples: See references/syntax.md
flowzap_validate to verify syntax.
flowzap_create_playground to get a shareable URL.
Full MCP documentation: flowzap.xyz/docs/mcp
The trust boundary is intentionally narrow:
https://flowzap.xyz.
The flowzap-mcp server runs locally on the user's machine (stdio transport) and enforces the following safeguards:
| Control | Detail |
|---------|--------|
| TLS only | All outbound requests require https:// and are restricted to flowzap.xyz (SSRF protection) |
| No authentication | Uses only public FlowZap APIs; no API keys, tokens, or user credentials are stored or transmitted |
| No user-data access | Cannot read diagrams, accounts, or any data beyond what the agent explicitly passes in |
| Input validation | Code capped at 50 KB, total input at 100 KB; null bytes and control characters stripped |
| Rate limiting | Client-side 30 requests/minute sliding window |
| Request timeout | 30-second hard timeout with AbortController |
| Response sanitization | Only expected fields are returned; playground URLs validated against allowlist |
| Audit logging | All tool calls and API requests logged to stderr (not exposed to the MCP client) |
The MCP server processes raw inputs locally and sends only generated or agent-provided FlowZap Code to FlowZap public endpoints:
POST https://flowzap.xyz/api/validate — returns syntax validation result
POST https://flowzap.xyz/api/playground/create — returns an ephemeral playground URL (60-minute TTL, non-guessable token)
If the agent uses flowzap_artifact_to_diagram, the raw HTTP logs, OpenAPI spec,
or code snippet are parsed locally inside the MCP package first. Only the
resulting FlowZap Code is sent when a playground URL is created.
No local file paths, environment variables, user identity, repository contents,
or credentials are transmitted by the MCP package.
Playground URLs are ephemeral, time-limited (60-minute TTL), and use non-guessable cryptographic tokens. They are read-only views of the diagram code submitted at creation time. No account or login is required to view them; no data persists beyond the TTL.
| Endpoint | Data stored | Retention |
|----------|-------------|-----------|
| POST /api/validate | None — stateless; code is parsed in memory and discarded after the response | 0 (not persisted) |
| POST /api/playground/create | FlowZap Code only (in PostgreSQL) | 60 minutes (database row + playground URL both expire) |
The playground session is stored server-side with a cryptographic token (UUID v4). After the 60-minute TTL, the session is deleted — either on the next access attempt or during a periodic sweep. No user identity, file paths, environment variables, or host metadata are attached to the session.
process.env or shell variables
flowzap.xyz over TLS (SSRF-protected allowlist)
共 1 个版本