kroki
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches rendered diagram files (PNG, SVG, PDF, JPEG) from Kroki.io, which is a well-known and widely used diagram rendering service.
- [DATA_EXFILTRATION]: To perform its function, the skill sends the diagram source text to the Kroki.io API via a POST request. While it allows specifying a custom server URL via the
--serverflag, this is a standard feature for users who host their own Kroki instance. - [COMMAND_EXECUTION]: The agent is instructed to run a local Python script (
scripts/render_diagram.py) using the shell. The script uses theargparsemodule to safely process command-line arguments and does not perform any dangerous shell interpolation or subprocess spawning.
Audit Metadata