drawio-diagram
Warn
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instructions in SKILL.md direct the agent to execute shell commands using the Bash tool with the pattern
node {SKILL_DIR}/scripts/drawio-cli.js <command> --content "<content>". Since<content>is intended to be user-provided diagram source (XML, CSV, or Mermaid), this creates a significant surface for command injection. If the agent does not strictly escape shell-active characters like backticks, semicolons, or dollar signs, an attacker could execute arbitrary code on the host system. - [EXTERNAL_DOWNLOADS]: The 'Error Handling' section of SKILL.md suggests checking for the existence of or using
npx @drawio/mcp. Executing commands via npx involves downloading and running code from the npm registry, which introduces a dependency on external, third-party code at runtime. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted diagram data to perform actions.
- Ingestion points: User-provided diagram definitions (XML, CSV, Mermaid) passed to the CLI commands described in SKILL.md.
- Boundary markers: No delimiters or protective instructions are specified to help the agent distinguish between diagram data and potential malicious instructions.
- Capability inventory: The skill has the capability to execute shell commands via the Bash tool as defined in the allowed-tools section and command usage examples.
- Sanitization: There is no evidence of input validation or sanitization of the content before it is passed to the shell environment.
Audit Metadata