Excalidraw Creator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it creates Excalidraw-style diagram PNGs, but it requires local Node.js execution and setup downloads.

Install only if you are comfortable running a local Node.js renderer and a setup script that installs npm dependencies and downloads fonts. Use fixed, simple temporary filenames rather than user-supplied names, review setup.sh first in restricted environments, and avoid running setup or rendering as a privileged user.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs the agent to invoke a shell command (`node <skill_dir>/scripts/render.js ...`) even though no permissions are declared, which creates an undeclared execution capability. This is dangerous because hidden subprocess use expands the trust boundary: a user may believe the skill only formats diagram JSON, while it actually executes local code that could be modified, abused, or chained with other unsafe setup behavior.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The declared purpose is diagram generation, but the behavior reportedly includes downloading font assets, running `npm install`, and performing additional preprocessing not disclosed in the description. This mismatch is dangerous because it hides network access and package installation behind a benign-looking skill, increasing supply-chain and remote content risks and preventing informed consent by users or reviewers.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The workflow explicitly writes files to `/tmp` and executes a renderer subprocess, but the skill text does not warn users about these side effects. While expected for rendering, undisclosed local file creation and process execution can still create operational and privacy risks, especially in constrained or multi-tenant environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal