excalidraw-visuals
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a Node.js script (
scripts/excalidraw-visuals/generate-visual.js) and instructs the agent to execute it locally to process diagram prompts and generate visual files. - [EXTERNAL_DOWNLOADS]: The generation script fetches the resulting image data from fal.ai infrastructure. fal.ai is recognized as a well-known service for AI model hosting, and this behavior is essential for the skill's primary function.
- [DATA_EXFILTRATION]: The skill transmits prompt descriptions and the user's
FAL_KEYAPI credential to the fal.ai API. This transmission is intended and necessary for the service to generate the requested images. - [CREDENTIALS_UNSAFE]: The skill requires the user to provide a
FAL_KEYin a.envfile. While this involves handling sensitive credentials, it follows standard practices for local environment configuration. - [PROMPT_INJECTION]: The skill processes user-provided descriptions and incorporates them into a structured prompt for an external image model. This creates a standard indirect prompt injection surface which is considered low risk and managed by the service provider's safety filters.
Audit Metadata