animated-diagram
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: No evidence of malicious behavior, data exfiltration, or credential exposure was found. The skill operates exclusively as a local visual rendering tool for technical diagrams.
- [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection via Mermaid node labels. Ingestion points: The mermaid source text provided as a prop to templates/DiagramBoard.tsx and parsed in templates/parse-mermaid.ts. Boundary markers: No explicit sanitization or delimiters to ignore embedded instructions are present in the parser. Capability inventory: The skill is restricted to UI rendering and lacks network requests, file system access, or subprocess execution capabilities. Sanitization: Node labels are rendered using dangerouslySetInnerHTML in templates/Node.tsx to support line breaks (), which could be leveraged for XSS if the diagram content originates from an untrusted source.
Audit Metadata