Back to skill

Security audit

drawio-AI-maker

Security checks across malware telemetry and agentic risk

Overview

This diagram-generation skill appears purpose-aligned, but it can write files outside a clearly bounded workspace and its documented confirmation step does not appear to be enforced consistently.

Install only if you are comfortable with a skill that writes generated .drawio files locally. Before using it, set or verify the output directory, avoid pointing it at sensitive folders, and confirm the generated diagram content and destination before allowing any save operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'out_path' from os.environ.get (line 50, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 输出文件
    safe_title = title.replace("/", "_").replace("\\", "_")
    out_path = OUTPUT_DIR / f"{safe_title}.drawio"
    with open(out_path, "w", encoding="utf-8") as f:
        f.write(xml)

    print(f"✅ 生成成功: {out_path}")
Confidence
93% confidence
Finding
with open(out_path, "w", encoding="utf-8") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises file and environment-dependent behavior but does not declare corresponding permissions, which weakens sandboxing and informed-consent controls around file reads, file writes, and environment-variable use. In this context, the skill writes output files and can be redirected via environment variables or CLI options, so undeclared capabilities increase the risk of unexpected filesystem access or policy bypass by the hosting agent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior does not match the apparent implementation: hidden rendering/export features, CLI availability checks, and a direct '--from-llm' generation path bypass the stated 'show JSON and get user confirmation' safety step. This mismatch is dangerous because operators and upstream agents may trust the documented workflow while the actual tool exposes more powerful or less-reviewed execution paths, increasing the chance of unapproved file generation or unsafe automation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code path allows immediate generation and saving of a .drawio file from either --input or pre-supplied JSON without enforcing the documented user-confirmation step. In an agent setting, this can cause unintended file creation and downstream trust issues because the agent may act on ambiguous or attacker-influenced input without explicit user approval.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match many ordinary requests like 'generate a diagram' or 'draw a flowchart,' which can cause the skill to auto-activate in situations the user did not intend. In a file-writing skill, over-triggering is security-relevant because it can initiate document processing, environment/path use, and artifact generation without a sufficiently explicit user opt-in.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script always writes generated files to a hard-coded Desktop path (/Users/owen/Desktop/drawio-generator) without prompting the user or allowing a safer default such as a temporary or user-selected location. In an agent context, this can cause unintended data exposure, overwrite surprises, and privacy issues because user-supplied document content is materialized to a predictable local path outside the caller's explicit control.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.