xmind-processor
Audited by Gen Agent Trust Hub on Feb 13, 2026
================================================================================
🟡 VERDICT: MEDIUM
This skill is designed to programmatically interact with XMind files by executing Python scripts. The primary concern is the reliance on an external, unverified dependency (jsonpath-ng) which is installed via package managers (uv or pip). While jsonpath-ng is a legitimate and widely used library, the act of fetching and installing external code introduces a supply chain risk. The skill's core functionality involves command execution and file system access, which are inherent to its purpose and not deemed malicious in this context.
Total Findings: 2
🟡 MEDIUM Findings: • Unverifiable Dependencies
- Line 32 (README.md): The skill instructs users to install
jsonpath-ngviauv add jsonpath-ngorpip install jsonpath-ng. This involves fetching and executing external code from package repositories, which introduces a supply chain risk as the content of these packages cannot be fully verified at analysis time. • Unverifiable Dependencies - Line 14 (scripts/pyproject.toml): The
pyproject.tomlfile explicitly listsjsonpath-ng>=1.7.0as a dependency, confirming the need to download and install this external package.
🔵 LOW Findings: • Command Execution
- Line 28 (README.md): The skill's core functionality involves executing Python scripts (e.g.,
uv run scripts/create_xmind.py). While this is the intended behavior, it is noted as command execution. The scripts themselves do not contain arbitrary command execution vulnerabilities. • File System Access - Line 5 (scripts/create_xmind.py): The script
create_xmind.pyperforms file system operations such as copying template files (shutil.copy2) and writing new XMind files. This is expected behavior for a file manipulation skill. • File System Access - Line 5 (scripts/insert_topic.py): The script
insert_topic.pyreads and modifies XMind files, which involves file system access. This is expected behavior. • File System Access - Line 5 (scripts/set_background.py): The script
set_background.pyreads and modifies XMind files, which involves file system access. This is expected behavior. • File System Access - Line 13 (scripts/xmind_utils.py): The core utility
xmind_utils.pyhandles reading and writing XMind files, which are ZIP archives. This involves extensive file system operations (e.g.,zipfile,shutil.move,tempfile.TemporaryDirectory), all of which are necessary for the skill's stated purpose.
================================================================================