Context-Inappropriate Capability
Medium
- Confidence
- 98% confidence
- Finding
- The script builds HTML with Python f-strings and inserts untrusted fields such as process_name, process_id, item names, descriptions, and step text directly into element content without HTML escaping. If attacker-controlled JSON is rendered and the output is opened in a browser, injected markup or JavaScript can execute, turning this diagram generator into an XSS-capable HTML emitter; the skill context makes this more concerning because generating browser-opened documents is its core function, so untrusted business data is likely to flow into the output.
