Draw.io Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward draw.io helper whose diagram editing and export behavior matches its stated purpose.

Install this only with a drawio MCP server you trust. Consider pinning the MCP server package version instead of using @latest, and avoid sending sensitive architecture or business details through the MCP server unless it is approved for that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill enables implicit invocation for a tool-backed capability that can create, edit, and export diagrams through an MCP server, but it defines no trigger constraints, scope limits, or exclusion conditions. This can cause the agent to invoke the skill opportunistically on loosely related requests, increasing the chance of unintended tool execution, data exposure to the MCP server, or unreviewed modification/export actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal