The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes arbitrary shell commands defined in the MERMAID_VALIDATE_CMD environment variable. While the documentation suggests using it for npm run validation tasks, a malicious configuration could lead to unauthorized system commands being run in the background.
[REMOTE_CODE_EXECUTION]: The skill launches background tasks and workers to perform diagram validation and status verification. These workers operate based on command strings provided in the client configuration, which could be exploited to execute untrusted code if the configuration files are compromised.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it parses and interprets content from a wide variety of external markdown files within the user's plan catalog.
Ingestion points: Plan files located in PLAN_DIRS and PLAN_ROOT, including plan.md, shared.md, and session plans.
Boundary markers: None present; the agent reads the files directly to extract 'actor', 'capability', and 'outcome' details.
Capability inventory: File system read/write access (for auditing and fixing diagrams) and shell command execution via validation commands.
Sanitization: No sanitization or safety delimiters are used when processing the text from the plan files.

audit-plans