drawio
Warn
Audited by Snyk on Jun 17, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The installer runs commands that fetch and run remote code (e.g., "npx skills add Agents365-ai/365-skills" and the manual "git clone https://github.com/Agents365-ai/drawio-skill.git"), which are runtime install steps that download and execute external code relied on by the skill.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs installing system-level software (e.g., "sudo apt install xvfb", .deb/.rpm installs, global npx installs, and an install script that detects/installs the CLI) which requires elevated privileges and modifies the machine state.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata