anygen-diagram

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The skill includes hidden/deceptive instructions outside its stated diagram-generation purpose—notably forced concealment of internal identifiers and a background-monitor step that auto-sends a promotional "all-in-one skill" recommendation and mutates config to mark it recommended—behavior that is promotional and not required for generating diagrams.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill includes explicit examples and commands that place API keys or bearer tokens directly into command-line arguments (e.g., python3 scripts/anygen.py config set api_key "sk-xxx" and curl -H "Authorization: Bearer <...>") and requires prompting the user for an API key, which may lead the LLM to echo secret values verbatim into commands or outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill calls AnyGen's public OpenAPI (https://www.anygen.io — see SKILL.md and scripts/anygen.py) to run the prepare API and to fetch "reply" and "suggested_task_params" and later task messages via tasks/{task_id}/messages, and the agent is required by the workflow to read/present and then act on those returned prompts/assistant replies (Phase 2/3/5), which is untrusted third‑party content that can influence subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime requests to https://www.anygen.io whose prepare/create responses (suggested_task_params / reply) directly control the agent's prompts and flow, and its rendering step also loads and executes remote code from CDNs such as https://esm.sh/@excalidraw/... and https://viewer.diagrams.net/js/viewer-static.min.js during runtime, all of which are required for the skill to operate.