Back to skill

Security audit

Excalidraw Diagram Generator

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate Excalidraw diagram files as advertised, with a purpose-aligned PNG export path that uses network-loaded rendering code and should be treated carefully for sensitive diagrams.

Install only if you are comfortable with local file creation and PNG export that launches headless Chromium and loads remote JavaScript. For confidential architecture, business, or credential-adjacent diagrams, use only the .excalidraw output or an offline/self-hosted renderer instead of the network-based export path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill writes files to disk and appears to rely on reading local references, but it declares no permissions or capability boundaries. That creates a transparency and policy-enforcement gap: an agent may invoke file operations users and orchestrators did not explicitly approve.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The manifest says the skill generates Excalidraw JSON from natural language, but the documented behavior also performs default PNG export, consumes an input .excalidraw file for export, and loads external CDN resources. This mismatch is dangerous because users and calling systems may authorize a low-risk local generation task while the skill actually performs network access and additional processing outside the stated scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation expands the skill from producing .excalidraw JSON files to automatically exporting PNG by default. This broadens the operational surface beyond the declared purpose and can trigger unexpected code execution paths, dependency use, and side effects for a task that users may expect to remain a simple local file-generation action.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Default headless PNG export requires Python tooling, Playwright, Chromium, and network access to external resources, none of which are justified by the stated core purpose of generating Excalidraw JSON. This increases attack surface and can expose local content or metadata to third-party services during rendering.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad phrases like 'visualize' and 'architecture diagram,' which can match common user requests and cause the skill to activate unexpectedly. Over-broad invocation boundaries are risky because they can lead to unanticipated file creation and network-dependent behavior without clear user intent.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The embedded description repeats broad invocation guidance without precise boundaries, reinforcing the chance of accidental activation. In this skill, that matters because activation can lead to file writes and optional-but-default export behavior, increasing the consequences of misrouting.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs saving generated files to the current working directory or a user-specified path without a prominent warning about creating files on disk. Silent persistence is dangerous because it can overwrite files, leave sensitive artifacts behind, or surprise users who expected a purely conversational response.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automatic PNG export performs network-dependent actions by default without a strong upfront warning. Users may not realize the skill will launch browser automation, fetch remote assets, and create additional files, which materially changes the privacy and security profile of the operation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented export flow loads excalidraw.com in a browser and programmatically injects the local diagram content into that page, but the guidance does not clearly warn users that diagram data is being sent to or exposed within a third-party web application. In a diagram-generation skill, users may export internal architecture, credentials-adjacent notes, or sensitive business flows, so the missing privacy warning creates a real risk of unintended data disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script loads React, ReactDOM, and Excalidraw directly from unpkg at runtime, causing the exporter to make outbound network requests and execute remote JavaScript during processing. This creates a supply-chain and integrity risk: a CDN compromise, dependency hijack, or unexpected version/content change could run attacker-controlled code in the browser context and affect export behavior or access local data rendered by the page.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.