mermaid-maker

Security checks across malware telemetry and agentic risk

Overview

This diagram skill is not overtly malicious, but it should be reviewed because it can automatically run npm and can send diagram contents to an external Kroki service without a clear consent gate.

Review before installing if you work with private architectures, schemas, or auth flows. Prefer local rendering, avoid Kroki for sensitive diagrams unless approved, and be aware that running the bundled scripts may invoke npm automatically and mutate the skill folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script automatically executes `npm install` when a dependency is missing, which causes network access and arbitrary package lifecycle scripts to run without explicit user consent. In a security-sensitive agent skill, this expands behavior beyond local diagram rendering into code acquisition and execution, creating supply-chain and unexpected-execution risk if the package, lockfile, registry, or environment is compromised.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script automatically runs `npm install` when a dependency is missing, which executes package-manager logic and may trigger lifecycle scripts from dependencies without explicit user approval. This creates a supply-chain and unexpected-code-execution risk, especially because invoking a renderer should not silently modify the project or fetch code from the network.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script silently performs `npm install` when a local dependency is missing, which introduces network access, subprocess execution, and modification of the project environment in a code path that appears to only list available themes. This is dangerous because it expands the trust boundary to the npm registry and any install hooks of dependencies without explicit user approval, creating supply-chain and unexpected side-effect risk.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill description instructs proactive use for very broad situations such as explaining any system with 3+ components, API flows, schemas, or state machines. This can cause the agent to invoke the skill in contexts where diagram generation is unnecessary or where sensitive architecture, schema, or workflow details may be written to disk or sent to a renderer, increasing exposure risk and reducing user control.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The rendering instructions present Kroki as a normal backend option and include commands that POST the full diagram content to an external service, but do not require a user-facing disclosure or consent step. Because Mermaid source may encode internal architecture, credentials flow, database schema, or other sensitive design data, this creates a real confidentiality risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation recommends sending Mermaid source files to the public Kroki API without any explicit warning that the diagram contents leave the local machine. Mermaid diagrams often encode internal architecture, database schemas, service names, credentials-in-context, or other sensitive operational details, so this creates a real data-exposure risk if users follow the example with non-public content.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Spawning `npm install --no-fund --no-audit` as a subprocess without prior confirmation is an unsafe implicit side effect because `npm install` may execute package scripts and pull code from external sources. For a diagram-generation skill, this is more dangerous than normal helper behavior because users expect rendering, not dependency bootstrap that can modify the environment and execute third-party code.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: This code modifies the local project and spawns a subprocess automatically, without prior confirmation in the tool's normal execution path. In a skill intended for diagram rendering, that behavior is more dangerous because users reasonably expect local file processing, not network dependency resolution and environment mutation, which increases surprise and abuse potential.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This finding is valid because the script launches a package-manager subprocess and alters the working directory contents without confirmation from the user. In a skill context, users invoking a simple theme-listing helper would not reasonably expect dependency installation and project mutation, which increases the chance of unintended code execution and environmental changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal