Skills
skills/elwinliu/umple-skills/umple-diagram-generator/Gen Agent Trust Hub

umple-diagram-generator

Fail

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/main.ts file contains a command injection vulnerability in the convertGvToSvg function where file paths derived from user input are interpolated into a shell command without sanitization.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx -y bun to run its logic, which can download the Bun runtime from the npm registry.
  • [PROMPT_INJECTION]: The skill processes untrusted natural language requirements into Umple models without sanitization or boundary markers, creating a surface for indirect prompt injection that leverages the skill's file-system and shell-execution capabilities.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 21, 2026, 01:55 AM