drawio

Warn

Audited by Snyk on Jun 17, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The installer runs commands that fetch and run remote code (e.g., "npx skills add Agents365-ai/365-skills" and the manual "git clone https://github.com/Agents365-ai/drawio-skill.git"), which are runtime install steps that download and execute external code relied on by the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs installing system-level software (e.g., "sudo apt install xvfb", .deb/.rpm installs, global npx installs, and an install script that detects/installs the CLI) which requires elevated privileges and modifies the machine state.

Issues (2)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 17, 2026, 07:06 AM
Issues
2
Security Audit — snyk — drawio