drawio
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's configuration in
.mcp.jsonandSKILL.mdspecifies the use ofnpx --yes @next-ai-drawio/mcp-server@latest. This downloads and executes a package from the npm registry at runtime. The author and organization (@next-ai-drawio) are not on the trusted sources list, posing a supply chain risk. - [REMOTE_CODE_EXECUTION] (MEDIUM): Execution of an unverified package via
npxconstitutes remote code execution. This allows arbitrary code from a non-trusted source to run on the user's machine. - [COMMAND_EXECUTION] (MEDIUM): The MCP server is executed as a background process with capabilities to open browser sessions and write to the local filesystem. Running unvetted binaries or scripts in this manner is a medium-severity security concern.
- [DATA_EXPOSURE] (LOW): The
export_diagramtool (documented indocs/mcp-tools.md) allows writing files to user-defined paths. While intended for saving diagrams, this functionality could potentially be abused to attempt path traversal or overwrite sensitive configuration files if the agent is manipulated. - [INDIRECT_PROMPT_INJECTION] (LOW): The
replicateworkflow (docs/ah-format.md) processes untrusted user-provided text and images through a complex extraction prompt. - Ingestion points: User-provided descriptions and uploaded images analyzed in
docs/ah-format.md. - Boundary markers: Relies on natural language instructions (e.g., "【唯一输出】") which can be bypassed by sophisticated adversarial inputs.
- Capability inventory: File-writing (
export_diagram), network access (via browser), and code execution (via the MCP server). - Sanitization: Includes basic XML attribute escaping and HTML tag filtering in
src/math/index.js, which provides limited protection against structural injection.
Audit Metadata