flow-graph
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill relies on running shell commands for setup and operation. Specifically, it executes 'npm install' in multiple directories and runs 'node scripts/record.mjs'. The 'record.mjs' file is missing from the provided source but is described as invoking 'vite' and 'ffmpeg' via the shell, which is a common vector for command injection.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill triggers the download and installation of numerous NPM packages and a Chromium browser via 'npx playwright install'. The use of '--no-audit' during installation is a best-practice violation that suppresses security warnings.
- [PROMPT_INJECTION] (HIGH): As an 'Indirect Prompt Injection' surface, the skill processes untrusted natural language to generate 'graph-data.json'. If an attacker can influence the contents of this JSON to include shell metacharacters or path traversal sequences, and the (missing) 'record.mjs' script does not sanitize these values before passing them to 'ffmpeg' or 'vite', it could lead to arbitrary command execution.
- [INDIRECT_PROMPT_INJECTION] (HIGH):
- Ingestion points: User-provided natural language descriptions are parsed into structured 'graph-data.json' files.
- Boundary markers: None identified; the skill lacks delimiters or instructions to ignore embedded commands within the descriptions.
- Capability inventory: The skill performs file writes, executes local scripts, and invokes external binaries (ffmpeg, playwright).
- Sanitization: There is no evidence of sanitization for the generated JSON values (e.g., node labels, colors, or output paths) before they are used in downstream recording and encoding processes.
Recommendations
- AI detected serious security threats
Audit Metadata