Back to skill

Security audit

Mermaid Diagrams

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for creating Mermaid diagrams, with no hidden execution, data access, or persistence beyond user-chosen installation.

Reasonable to install for Mermaid diagram help. Review any npx, npm, or manual copy commands before running them, and use local rendering instead of online editors when diagrams contain private system architecture or business details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README explicitly lists very broad trigger phrases such as 'diagram', 'visualize', 'model', 'map out', and 'show the flow of a system'. In agent environments, overly generic triggers can cause the skill to activate in unrelated contexts, increasing the chance that untrusted user content is routed into this skill when a more appropriate or safer skill should handle it.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger language is very broad, covering common verbs like 'diagram,' 'visualize,' 'model,' 'map out,' and 'show the flow,' which can match many general user requests outside the intended scope. This can cause the skill to activate unexpectedly, increasing the chance of irrelevant instruction injection into unrelated conversations and reducing routing precision.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.