generate mermaid diagrams

Security checks across malware telemetry and agentic risk

Overview

This diagram skill appears purpose-built for Mermaid rendering, but its scripts can run unintended local shell commands if given crafted paths or filenames.

Review before installing. Use only trusted content and simple safe paths until the scripts are fixed to call mmdc with argument arrays, and prefer a pinned local Mermaid CLI dependency over the global installer.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script builds shell command strings with unquoted, interpolated file paths derived from arguments and then executes them via execSync. If an attacker can control the input or output path, shell metacharacters such as ';', '&', '$()', or spaces can alter the command and achieve arbitrary command execution under the script's privileges.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script builds a shell command with a user-controlled file path and passes it to execSync without quoting or argument separation. If an attacker can supply a directory or filename containing shell metacharacters, they may achieve command injection and execute arbitrary commands on the host running validation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal