Back to skill

Security audit

Markdown Diagram Renderer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but users should avoid using it on sensitive Markdown unless local renderers are installed and should be careful because it can modify the input file.

Install local renderers if diagrams may contain private architecture, hostnames, business logic, or secrets, because fallback rendering can send diagram source to third-party services. Use version control, backups, or an explicit output path before running because the default workflow can modify the Markdown file. Only set PLANTUML_JAR to a trusted PlantUML jar and install dependencies in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
src.write(code.strip())
                src_path = src.name
            
            result = subprocess.run(
                ['java', '-jar', plantuml_jar, f'-t{output_format}', src_path],
                capture_output=True,
                timeout=30
Confidence
91% confidence
Finding
result = subprocess.run( ['java', '-jar', plantuml_jar, f'-t{output_format}', src_path], capture_output=True, timeout=30 )

Tainted flow: 'plantuml_jar' from os.environ.get (line 287, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
src.write(code.strip())
                src_path = src.name
            
            result = subprocess.run(
                ['java', '-jar', plantuml_jar, f'-t{output_format}', src_path],
                capture_output=True,
                timeout=30
Confidence
97% confidence
Finding
result = subprocess.run( ['java', '-jar', plantuml_jar, f'-t{output_format}', src_path], capture_output=True, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation shows capabilities for environment access, file read/write, network access, and shell execution, but these are not clearly declared as permissions in a way that allows informed review. This creates a real security transparency problem: users may invoke a document-processing skill without realizing it can execute external tools, overwrite files, or send diagram contents to remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a true vulnerability because the declared behavior understates important security-relevant actions: transmitting diagram source to third-party services, invoking local executables, embedding large base64 payloads, and potentially overwriting the source document. In context, this is especially dangerous because users may process sensitive internal Markdown files containing architecture details, secrets, or proprietary system design, leading to data leakage or destructive file changes they did not expect.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
When local Mermaid rendering fails, the code sends the full diagram source to mermaid.ink, a third-party service, without an explicit consent or policy check. Diagram blocks in Markdown can contain sensitive architecture, credentials, internal URLs, or business logic, so this creates a confidentiality and data-governance risk.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The PlantUML fallback transmits diagram source to a public remote service, exposing potentially sensitive content outside the local environment. The risk is heightened because the URL uses plain HTTP rather than HTTPS, enabling interception or tampering in transit.

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
Reading PLANTUML_JAR from the environment introduces a trust boundary issue because environment variables may be attacker-controlled in shared runners, agent frameworks, or compromised launch contexts. Since that value later determines what code Java executes, this is security-relevant.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill silently uploads PlantUML source to an external service without a clear user-facing warning or consent flow. In a Markdown-processing skill, users may reasonably assume local processing, so silent egress of document content materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Mermaid fallback sends content to a third-party renderer without clearly informing the user, which can leak sensitive data embedded in diagrams. Because the tool automatically detects and processes Markdown blocks, the upload may occur unexpectedly and at scale.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill defaults to writing back to the input Markdown file when no output path is provided, which can silently destroy or alter user content. In an agentic context, this is risky because automated workflows may invoke the skill on important documents without an explicit confirmation step, causing unintended data loss or corruption.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Python 依赖

# Markdown AST 解析
mistletoe>=0.9.0

# Graphviz 图表渲染
graphviz>=0.20.0
Confidence
84% confidence
Finding
mistletoe>=0.9.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
mistletoe>=0.9.0

# Graphviz 图表渲染
graphviz>=0.20.0

# 可选依赖(根据需要安装):
# - nodejs + @mermaid-js/mermaid-cli (用于 Mermaid 本地渲染)
Confidence
84% confidence
Finding
graphviz>=0.20.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.