generating-infographics

🔴 CRITICAL Findings: • Privilege Escalation / Command Execution

• Line 190 (generate.js), Line 70 (lib/exporter.js): The generate.js script launches Puppeteer (a headless Chromium browser) with the --no-sandbox and --disable-setuid-sandbox arguments. This disables critical security sandboxing mechanisms in Chromium. The script then loads user-controlled SVG content (derived from config.data and config.illustrationsDir) into this unsandboxed browser. If the SVG content contains malicious JavaScript (e.g., <script>alert(1)</script> or more sophisticated payloads), it will execute with the full privileges of the Node.js process, effectively allowing arbitrary command execution and privilege escalation.

🔴 HIGH Findings: • Data Exfiltration (Arbitrary File Read)

• Line 60 (generate.js), Line 100 (lib/illustrations.js), Line 106 (lib/illustrations.js): The skill allows users to specify paths for configuration files (--config) and illustration directories (--illustrations). These paths are resolved using path.resolve(). An attacker could provide a path like ../../../../etc/passwd or ~/.aws/credentials. The loadConfig function reads the specified config file, and lib/illustrations.js reads files from the specified illustrations directory. If a malicious illus field in the data points to a sensitive file, its content could be read and embedded into the generated SVG. While no direct network exfiltration of this embedded data is observed after embedding, the ability to read arbitrary files and embed them into a user-controlled output file (--output) is a significant data exfiltration risk.

🟡 MEDIUM Findings: • Unverifiable Dependencies

• Line 19 (package.json): The package.json lists several dependencies (@antv/infographic, @resvg/resvg-js, jsdom, lucide-static, sharp) that are not from the explicitly whitelisted trusted GitHub organizations. While these are generally well-known open-source projects, their code is not directly audited as part of this skill, and they could potentially introduce vulnerabilities.

🔵 LOW Findings: • Trusted External Dependency

• Line 23 (package.json): The puppeteer dependency is from puppeteer/puppeteer, which is part of the google organization and is considered a trusted source. This finding is noted for completeness but does not elevate the overall risk.

ℹ️ INFO Findings: • Indirect Prompt Injection Risk: The skill processes user-provided data (config.data, options.data, options.theme, options.illustrations). Due to the critical command execution vulnerability (unsandboxed Puppeteer), if this user-provided data contains malicious SVG or JavaScript, it could be executed. This is a consequence of the direct command execution finding.