drawio
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill configures an MCP server to run via
npx --yes @next-ai-drawio/mcp-server@latestin.mcp.json. This downloads and executes arbitrary code from the npm registry without source verification or version pinning. Neither the package nor its author are on the trusted list.\n- [Data Exposure & Exfiltration] (SAFE): Analysis of the provided source files shows no evidence of hardcoded credentials or unauthorized data exfiltration logic.\n- [Indirect Prompt Injection] (LOW): The skill has an attack surface for indirect prompt injection as it processes user-provided natural language into structured diagram XML.\n - Ingestion points: Natural language descriptions and image metadata processed via the
/drawiocommands.\n - Boundary markers: Not present in the conversion logic; the system relies on regex parsing.\n
- Capability inventory: The MCP server can open local ports, control browser instances, and export files to the local filesystem.\n
- Sanitization: Node labels and formulas are escaped using XML entities in
src/math/index.js.\n- [Prompt Injection] (SAFE): No malicious instruction overrides or bypass attempts were found in the workflow documentation or templates.
Recommendations
- AI detected serious security threats
Audit Metadata