Diagram Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Gemini-backed diagram tool, but users should understand that selected prompts and files are sent to Gemini and saved outputs are managed by an unauthenticated local web server.

Install only if you are comfortable sending selected prompts and attached files to Gemini. Do not attach secrets, environment files, credentials, or confidential repositories. Run the server locally, avoid exposing port 3000 to other users or networks, and periodically delete saved diagrams you no longer need.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares required environment variables and binaries and explicitly instructs making HTTP requests to a localhost service, which are meaningful runtime capabilities even though no explicit permission model is declared. This creates a transparency and policy gap: users and reviewers may not realize the skill can access sensitive local inputs and transmit them to another process/service.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is diagram generation/editing, but the behavior reportedly includes persistent server-side storage, file/project listing, deletion, static serving, and image export. That mismatch is dangerous because it expands the attack surface from transient generation into filesystem persistence and file management operations that users may not expect or authorize.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill exposes persistent file-management capabilities (`save`, list, file delete, project delete) that go beyond transient diagram generation. Even though the code applies basic filename validation, these endpoints allow server-side storage and lifecycle management of user content, increasing attack surface, retention risk, and the consequences of misuse or compromise.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The API provides arbitrary deletion of files and entire projects within the downloads area without any authentication or ownership checks. An attacker who can reach the service can delete any stored diagram artifacts by guessing project and file names, causing data loss and service disruption.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly encourages uploading source code, PDFs, and images to an AI-powered service and saving generated outputs to the server, but it does not warn users that sensitive content may be transmitted to a third-party model provider or persisted locally. In a diagram-generation skill that processes architecture sketches and code, this omission can lead users to expose proprietary system details, credentials, or internal designs without informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs reading local code/docs/images and sending their contents to a local HTTP service backed by Gemini, but provides no user-facing notice that workspace data may leave the agent boundary and be processed by an external model provider. Even with an allowlist/blocklist, permitted proprietary source code, docs, and images can still contain sensitive intellectual property or embedded secrets, creating confidentiality and compliance risks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The app sends `attachedPromptFiles` directly to `/api/generate`, including raw text and base64-encoded PDF/image content, without any visible consent step or clear warning that uploaded context will be transmitted to an AI backend. This creates a real privacy and data-handling risk because users may attach source code, internal documents, or sensitive images assuming they are only used locally for rendering/editing.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: User prompts, extracted document text, and binary file contents are sent to Google's external AI service, but this server code contains no consent, disclosure, or filtering step before transmission. In a diagramming skill that explicitly accepts source code, architecture documents, images, and PDFs, this can expose sensitive intellectual property or secrets to a third party.

Ssd 1

High

Confidence: 94% confidence
Finding: The code concatenates user-supplied document text directly into the prompt as trusted context, allowing instructions embedded in uploaded files to influence model behavior. In this skill, uploaded files may contain source code, docs, or notes from untrusted sources, so prompt injection can cause the model to ignore user intent, exfiltrate embedded sensitive content into output, or generate malicious/unsafe diagrams or XML.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal