Skills
skills/coleam00/excalidraw-diagram-skill/excalidraw-diagram/Snyk

excalidraw-diagram

Warn

Audited by Snyk on Mar 2, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md Research Mandate explicitly requires the agent to "look up the actual JSON/data formats" and "find the real event names, method names, or API endpoints" (i.e., fetch public specs/webpages) — and the rendering template also pulls a module from https://esm.sh — meaning the agent is expected to ingest open/public third‑party content that can materially influence its generation and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The render_template.html used at runtime by references/render_excalidraw.py performs a dynamic import from https://esm.sh/@excalidraw/excalidraw?bundle which causes the agent's renderer to fetch and execute remote JavaScript during rendering, and the skill requires that import to render diagrams.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 2, 2026, 05:54 PM