excalidraw-generator
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill performs legitimate data transformation tasks without exhibiting any malicious patterns such as prompt injection, data exfiltration, or unauthorized command execution. All file operations are confined to writing diagram data in the local working directory and follow standard security practices for data-oriented skills.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to process untrusted external data (code, SQL, configurations) to generate visualizations. While this ingestion of external content is a known attack surface, the risk is negligible as the skill translates this data into a structured JSON format (Excalidraw) rather than executable scripts, minimizing the impact of any embedded instructions. (Evidence: 1. Ingestion points: Phase 1 in SKILL.md; 2. Boundary markers: Absent; 3. Capability inventory: File writing in Phase 3 of SKILL.md; 4. Sanitization: Structural and schema validation performed in Phase 4 and by the json-validator subagent.)
Audit Metadata