mindmap-generator

Warn

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to modify the Python environment's search path (sys.path.insert) to point to a hardcoded absolute local directory (/Users/lius/Code/md2xmind) and then import and execute code from that directory. This pattern allows for the execution of unverified logic residing outside the skill's own package.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted user-supplied images and documents to extract structural information.
  • Ingestion points: Document files (PDF, DOCX, TXT, MD) and Image files (PNG, JPG, etc.) processed according to instructions in SKILL.md.
  • Boundary markers: Absent. The instructions do not provide delimiters or warnings for the agent to ignore instructions embedded within the content it is analyzing.
  • Capability inventory: The skill has file system access (read/write) and execution capabilities via Python scripts.
  • Sanitization: None detected. The extracted content is converted directly into Markdown and then passed to execution functions without filtering.
  • [EXTERNAL_DOWNLOADS]: The skill documentation requires the user to install the playwright package and the chromium browser binary, which involves downloading executable content from external sources at runtime.
  • [DATA_EXFILTRATION]: There is a significant contradiction regarding data handling. While the README.md claims no external API is needed, the SKILL.md '注意事项' (Notes) section explicitly states that a 'valid OpenRouter API Key' is required. This discrepancy obscures whether user data is being sent to a third-party service.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 24, 2026, 10:35 AM
Security Audit — agent-trust-hub — mindmap-generator