plantuml

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill includes several Python scripts (scripts/check_setup.py, scripts/convert_puml.py, scripts/process_markdown_puml.py, scripts/resilient_processor.py) that utilize the subprocess.run function to execute local commands. These commands are strictly limited to technical requirements for diagram generation, such as checking Java/Graphviz versions and invoking the PlantUML JAR file. The scripts use list-based arguments without shell=True, preventing common command injection vulnerabilities.
  • [EXTERNAL_DOWNLOADS]: The documentation (README.md, SKILL.md) contains installation instructions directing users to download necessary dependencies (Java, Graphviz, and the official plantuml.jar) from their respective official and well-known websites (oracle.com, graphviz.org, and plantuml.com). No automated or silent downloads of untrusted code occur within the skill's execution logic.
  • [SAFE]: The skill implements a robust architecture (Progressive Disclosure Architecture) and provides extensive troubleshooting guides. Its stated purpose—to generate and convert UML diagrams—aligns perfectly with the functionality provided in the scripts and examples. No evidence of prompt injection, credential exposure, or data exfiltration was found during the analysis.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 01:05 PM
Security Audit — agent-trust-hub — plantuml