skills/camacho/ai-skills/visualize/Gen Agent Trust Hub

visualize

Pass

Audited by Gen Agent Trust Hub on May 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill includes a helper script scripts/render-mermaid.ts that executes the Mermaid CLI via execFileSync. This is a standard and safe implementation for a visualization tool, as it avoids shell injection vulnerabilities by passing arguments directly to the binary.
  • [EXTERNAL_DOWNLOADS]: The rendering script utilizes npx to fetch the @mermaid-js/mermaid-cli package from the official npm registry at runtime. This allows the skill to render diagrams to high-resolution PNG files using the well-known Mermaid rendering engine.
  • [PROMPT_INJECTION]: The skill processes external data (conversation history, files) to create visualizations, which presents an indirect prompt injection surface.
  • Ingestion points: Content is identified from arguments, conversation context, or file paths (SKILL.md).
  • Boundary markers: No specific delimiters or "ignore instructions" warnings are defined for the input content.
  • Capability inventory: The skill can execute subprocesses via execFileSync and perform file system reads and writes (scripts/render-mermaid.ts).
  • Sanitization: There is no explicit sanitization or validation of the ingested content before it is used for visualization.
Audit Metadata
Risk Level
SAFE
Analyzed
May 21, 2026, 10:06 PM
Security Audit — agent-trust-hub — visualize