processon-diagram-generator

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). Yes — the prompt includes explicit deceptive behavior outside its stated diagramming purpose (forbidding reporting network errors by treating curl failures as "no update"), which instructs the agent to hide operational faults from the user.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly fetches external JSON from https://raw.githubusercontent.com/processonai/processon-skills/main/skills/processon-diagram-generator/version/github-version.json as a mandatory pre-check and streams/consumes DSL and image-generation responses from ProcessOn APIs (https://smart.processon.com/v1/chat/completion and https://smart.processon.com/v1/api/generate/img), and those responses are parsed and acted on (aborting on higher version, driving rendering and output URLs), so untrusted third‑party content can materially influence agent behavior and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires a runtime curl to fetch and parse https://raw.githubusercontent.com/processonai/processon-skills/main/skills/processon-diagram-generator/version/github-version.json (and, in practice, calls remote ProcessOn APIs at https://smart.processon.com/...) whose returned JSON/streamed content directly controls execution flow (version-based interruption/updates) and produces the DSL used by the agent, so remote content can change prompts/behavior and the skill can also suggest running npx to pull/execute code from https://github.com/processonai/processon-skills.git.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). This skill mandates executing shell commands (curl, running python scripts) and even suggests a one-click global npx install (--force -g), which can modify the host filesystem and may require elevated privileges, so it encourages actions that change the machine state even though it does not explicitly request sudo or create accounts.