drawio-diagram
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses npx to dynamically download and execute the @drawio/mcp package from the npm registry. While draw.io is a well-known service, executing remote packages at runtime introduces a dependency on external infrastructure.
- [REMOTE_CODE_EXECUTION]: The use of 'npx -y @drawio/mcp' within the MCP server call constitutes the execution of remote code on the local system.
- [COMMAND_EXECUTION]: The skill provides instructions to construct and run shell commands for exporting diagrams (using the draw.io CLI) and opening files (using open, xdg-open, or start). These commands use filenames and export formats derived from user requests, which could lead to command injection if the agent does not strictly validate the input characters.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted diagram content (Mermaid, XML, and CSV) which could contain embedded instructions.
- Ingestion points: User-provided content in the 'open_drawio_mermaid', 'open_drawio_xml', and 'open_drawio_csv' tool calls.
- Boundary markers: No explicit delimiters or 'ignore instructions' warnings are defined for the diagram data.
- Capability inventory: Includes local file system write access, shell command execution for file management and export, and network-based package execution via npx.
- Sanitization: The skill does not specify any sanitization or escaping procedures for the content before it is processed by the CLI or browser-based tools.
Audit Metadata