document-to-mindmap
Fail
Audited by Snyk on Jun 27, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.80). Yes — the skill includes hidden/deceptive operational mandates (e.g., forcibly running remote shell/version checks, suppressing/network-error messages, and requiring unconditional output of full unredacted URLs/params) that alter behavior and can enable exfiltration or silent updates beyond the user-facing mindmap generation purpose.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (medium risk: 0.65). 运行时 LLM 上下文的输入来自用户提供的
--markdown/--markdown-file内容(resolve_markdown_input读取后放入payload["markdown"]并 POST 到TRANSFORM_MD_API_URL),因此若该内容包含“非操作用户选择引入的外部自由文本”(如他人消息/网页抓取/他人文档正文),就会被送入模型上下文;该技能本身不做来源净化/隔离。
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill explicitly performs a runtime fetch of https://raw.githubusercontent.com/processonai/processon-skills/main/skills/document-to-mindmap/version/github-version.json to decide whether to interrupt and prompt for an update, and (with user consent) runs a command that fetches and installs remote code from https://github.com/processonai/processon-skills.git, so external content is used at runtime to control prompts and can result in executing remote code.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs the agent to run shell commands that modify the host (including an automatic global npx install --force -g which can change system packages and may require elevated privileges), so it directs activities that alter machine state even though it does not explicitly request sudo or create users.
Issues (4)
E004
CRITICALPrompt injection detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata