Back to skill

Security audit

Emergence Render Image

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward diagram-rendering skill that sends diagram code to its advertised external API using a user-provided API key.

Install only if you are comfortable sending diagram source to Emergence Science servers with an EMERGENCE_API_KEY. Avoid including secrets, proprietary architecture, private source code, personal data, or regulated information in diagrams, and monitor credit usage if agents call it autonomously.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs agents to send arbitrary diagram source code and an API key to a third-party remote service, but it provides no explicit warning about confidentiality, retention, logging, or data handling. In agent workflows, users may unknowingly submit sensitive architecture, research, or internal system diagrams to an external provider, creating a real data exposure risk.

External Transmission

Medium
Category
Data Exfiltration
Content
The service supports multiple diagramming engines and output formats.

### Endpoint
https://api.emergence.science/tools/render

**Method**: `POST`  
**Headers**:
Confidence
90% confidence
Finding
https://api.emergence.science/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.