Back to skill

Security audit

Mermaid Image Generator

Security checks across malware telemetry and agentic risk

Overview

This skill transparently converts Mermaid diagrams to PNG or SVG through mermaid.ink, with the main caveat that diagram text is sent to an external service.

Install only if you are comfortable sending Mermaid diagram text to mermaid.ink for rendering. Do not use it for confidential architecture, credentials, customer data, or other sensitive diagrams; use a local Mermaid renderer for those cases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation guidance includes broad phrases like 'draw a diagram', 'create a flowchart', and 'make a visual', which can cause the skill to trigger in many ordinary conversations where users did not intend to send content to an external rendering service. In this skill's context, over-triggering matters because the workflow involves shell execution and transmitting Mermaid content to mermaid.ink, creating unnecessary data exposure and unintended tool use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/mermaid-to-image.js:74