xmind
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill supports an
attachmentfield that accepts absolute file paths. This allows the agent to read and embed any local file (e.g., SSH keys, configuration files, or database credentials) into a generated.xmindfile, facilitating data exfiltration if the file is shared or uploaded. - [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The 'Working with large files' section provides a Python one-liner that executes
pip install pymupdfat runtime. Dynamic package installation from unpinned or non-standard sources is a significant security risk. - [Dynamic Execution] (MEDIUM): The skill uses
importlib.import_moduleandsubprocess.runwithin a Python execution string to handle PDF processing. Loading modules from computed strings and spawning sub-processes based on user-influenced file paths can lead to command injection or unauthorized code execution. - [Indirect Prompt Injection] (LOW): The skill ingests data from external PDF files using tools like
pdftotext. This creates a surface for indirect prompt injection where malicious instructions inside a PDF could influence the agent's behavior during the mind map creation process. - Ingestion points: PDF file processing via
pdftotextorpymupdfin the fallback logic. - Boundary markers: None. The extracted text is processed directly to build the JSON structure.
- Capability inventory: File writing, shell command execution (node script), and dynamic Python execution.
- Sanitization: None detected for the extracted text or the JSON fields.
Recommendations
- AI detected serious security threats
Audit Metadata