Back to skill

Security audit

Code To Mindmap

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward code-to-Mermaid diagram helper with optional local rendering, and I found no hidden persistence, credential handling, automatic uploads, or destructive behavior.

Safe to install for normal diagramming use. Render diagrams locally with a trusted Mermaid CLI when working with private code, avoid pasting sensitive diagrams into external services, and do not set MMDC_PATH to an untrusted executable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'mmdc' from os.getenv (line 17, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
# Try mmdc (Mermaid CLI) first — most reliable
    mmdc = os.getenv("MMDC_PATH", "mmdc")
    try:
        subprocess.run(
            [mmdc, "-i", mmd_path, "-o", output_path, "-b", format],
            check=True, capture_output=True
        )
Confidence
91% confidence
Finding
subprocess.run( [mmdc, "-i", mmd_path, "-o", output_path, "-b", format], check=True, capture_output=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation references capabilities beyond pure text transformation, including reading local files, accessing environment data, and using shell-backed rendering tooling, yet no permissions are declared. This creates an authorization gap: a user or host may believe the skill is passive visualization logic while it can trigger filesystem or command execution paths through referenced scripts and tooling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose is code visualization, but the skill also references behavior that can execute external tools, render files, and direct users to external services. This mismatch is dangerous because it hides materially different trust boundaries: subprocess execution and external sharing can expose source code, secrets, or local data in ways users would not expect from a simple diagramming skill.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
A second definition of _main() overrides the earlier fully implemented test runner and replaces it with a call to undefined _run_unit_tests(). If invoked in a context that imports the later symbol or calls _main() directly, the test suite will fail at runtime, potentially disabling validation and allowing malformed or risky skill content to bypass expected checks.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger condition is broad enough that ordinary requests about visualizing code structure could invoke the skill even when the user did not explicitly want this specific capability. That can cause unintended routing and increase the chance the agent processes pasted source code in a way the user did not mean, though this README alone does not introduce direct code-execution risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.