The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill relies on an external Model Context Protocol (MCP) server, @next-ai-drawio/mcp-server, which is downloaded and executed via npx as defined in the .mcp.json file.
[COMMAND_EXECUTION]: The agent uses the RunCommand tool to execute a local Node.js CLI script (scripts/cli.js) that converts YAML/DSL specifications into Draw.io XML or SVG files.
[PROMPT_INJECTION]: The skill handles untrusted data through workflows that analyze natural language descriptions or images to generate diagrams, creating a surface for indirect prompt injection.
Ingestion points: User-provided text descriptions and uploaded images processed in the create and replicate workflows (see references/workflows/create.md and references/workflows/replicate.md).
Boundary markers: The skill uses detailed prompt templates in references/docs/ah-format.md with explicit instructions (e.g., "Only use content from input", "Do not infer") to restrict the agent's behavior.
Capability inventory: The skill possesses Write and RunCommand capabilities to generate diagram files and execute local conversion scripts, as well as Browser access via the MCP server.
Sanitization: The scripts/math/index.js utility implements XML attribute escaping and math label validation to prevent malformed XML or content injection in the generated diagrams.

drawio