mermaid-render
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
child_process.spawnandexecSyncto run the Mermaid CLI (mmdc) and the Node.js runtime. While these commands are central to the skill's primary function and use array-based arguments to prevent shell injection, they represent a high-privilege capability within the agent's environment. - [EXTERNAL_DOWNLOADS]: The
scripts/render.mjsfile contains aloadPuppeteerfunction that automatically executesnpm installif the Puppeteer dependency is not found. This involves downloading packages from the well-known npm registry to the local environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted content provided by users in the form of Mermaid (
.mmd) or Markdown (.md) files. - Ingestion points: Files passed to the
--inputflag inscripts/render.mjsandscripts/batch.mjsare read and parsed to extract diagram code. - Boundary markers: The skill does not implement delimiters or explicit 'ignore embedded instructions' warnings for the data being processed.
- Capability inventory: The skill can perform shell command execution via
spawn, has file system read/write access for temporary file management, and utilizes Puppeteer to execute JavaScript in a browser context for rendering. - Sanitization: While the skill uses regular expressions to isolate Mermaid blocks, it does not sanitize the contents of those blocks before passing them to the rendering engine (Puppeteer), which could be exploited through malicious Mermaid directives or browser-based vulnerabilities.
Audit Metadata