mindmap-generator
Warn
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to modify the Python environment's search path (
sys.path.insert) to point to a hardcoded absolute local directory (/Users/lius/Code/md2xmind) and then import and execute code from that directory. This pattern allows for the execution of unverified logic residing outside the skill's own package. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted user-supplied images and documents to extract structural information.
- Ingestion points: Document files (PDF, DOCX, TXT, MD) and Image files (PNG, JPG, etc.) processed according to instructions in
SKILL.md. - Boundary markers: Absent. The instructions do not provide delimiters or warnings for the agent to ignore instructions embedded within the content it is analyzing.
- Capability inventory: The skill has file system access (read/write) and execution capabilities via Python scripts.
- Sanitization: None detected. The extracted content is converted directly into Markdown and then passed to execution functions without filtering.
- [EXTERNAL_DOWNLOADS]: The skill documentation requires the user to install the
playwrightpackage and thechromiumbrowser binary, which involves downloading executable content from external sources at runtime. - [DATA_EXFILTRATION]: There is a significant contradiction regarding data handling. While the
README.mdclaims no external API is needed, theSKILL.md'注意事项' (Notes) section explicitly states that a 'valid OpenRouter API Key' is required. This discrepancy obscures whether user data is being sent to a third-party service.
Audit Metadata