drawio
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references and uses the @next-ai-drawio/mcp-server package via npx for optional live browser editing capabilities. It also uses npm view during installation to check for package availability.
- [COMMAND_EXECUTION]: The skill executes local Node.js scripts (scripts/cli.js) to perform diagram conversions and validation. It also interfaces with the Draw.io Desktop application to perform exports to formats like PNG, PDF, and SVG, using validated executable paths.
- [SAFE]: The skill implements security-conscious practices, including regex-based validation for theme names and icon identifiers to prevent path traversal or style injection, and explicitly instructs the agent to treat user-provided content as untrusted data.
Audit Metadata