Excalidraw Skill

Security checks across malware telemetry and agentic risk

Overview

This markdown-only skill is purpose-aligned for creating Excalidraw diagrams, with a clear caveat that its default SVG export path can send diagram contents to Kroki.

Install is reasonable for diagram generation. For sensitive diagrams, prefer the local CLI or local Kroki Docker endpoint instead of kroki.io, and review any optional global npm or macOS patch steps before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill recommends using the external Kroki API as the default export path and states that SVG is rendered via https://kroki.io, but it does not clearly require user consent or warn that the full diagram content will be transmitted off-host. If users render architecture, workflow, or system diagrams containing internal names, credentials, endpoints, or sensitive business logic, that information may be disclosed to a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal