The Agent Skills Directory

[DATA_EXFILTRATION]: The validate_file_path function in lib/browser-utils.sh permits access to files outside the current directory because the PREVIEW_ALLOW_EXTERNAL_FILES variable defaults to "1". The run.sh script uses this function before reading file content with cat. This allows an agent to be manipulated into reading sensitive system or user files (e.g., SSH keys, credentials) and including them in the generated HTML preview.
[EXTERNAL_DOWNLOADS]: The skill fetches the Mermaid.js library from cdn.jsdelivr.net. This is a well-known and trusted service. The implementation follows best practices by using Subresource Integrity (SRI) hashes and a Content Security Policy (CSP) to restrict the execution environment.
[COMMAND_EXECUTION]: The skill executes local bash scripts (run.sh) and standard utilities like cat, base64, sed, mkdir, and chmod to generate the HTML preview. It also invokes system browser tools (open, xdg-open, or start) to display the result.
[PROMPT_INJECTION]: The skill processes untrusted Mermaid diagram syntax. This represents an indirect prompt injection surface. Ingestion point: run.sh reads input from files or stdin. Boundary markers: None present to delimit user content. Capability inventory: File reading, shell command execution, and browser-based rendering. Sanitization: Content is Base64 encoded before insertion into the HTML template, and the Mermaid renderer uses securityLevel: 'strict' along with a CSP.

preview-mermaid