process-flow-diagram
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The generated HTML files incorporate the
html2canvasandjsPDFlibraries from the jsDelivr CDN to support diagram export features. The skill includes Subresource Integrity (SRI) hashes for these scripts, ensuring the integrity and authenticity of the remote code. - [SAFE]: The skill's logic is entirely focused on layout calculation and SVG generation. No suspicious patterns related to persistence, privilege escalation, or data exfiltration were identified.
- [PROMPT_INJECTION]: Indirect Prompt Injection surface evaluation:
- Ingestion points: User-supplied strings for workflow steps and descriptions are interpolated into the SVG content within
resources/template.html. - Boundary markers: The instructions do not explicitly mandate delimiters or boundary markers for these user strings.
- Capability inventory: The output is a client-side HTML file with JavaScript for local UI and file export tasks (PNG/PDF).
- Sanitization: While no specific sanitization instructions are provided to the agent, the risks are limited to the client-side execution environment of the generated diagram file.
Audit Metadata