The Agent Skills Directory

[DYNAMIC_EXECUTION]: The script scripts/_load_kernel.mjs uses the import() function to load a JavaScript module from paths constructed at runtime. Specifically, it prioritizes paths provided via environment variables (DRAWIO_KERNEL_FILE and DRAWIO_KERNEL_ROOT). This allows the skill to execute code from arbitrary locations on the file system if those environment variables are manipulated.
[COMMAND_EXECUTION]: The SKILL.md workflow instructs the agent to execute several shell commands. These include running local Node.js scripts and invoking the macOS draw.io.app binary directly at /Applications/draw.io.app/Contents/MacOS/draw.io to perform image exports. While documented as part of the diagram generation process, executing system-level binaries via absolute paths is a sensitive operation.
[DATA_EXPOSURE]: The skill performs frequent read and write operations to the /tmp directory (e.g., /tmp/diagram.ir.json, /tmp/diagram.drawio). While these are used for intermediate data processing, any process with access to /tmp could potentially view or modify the diagram data during the workflow.
[INDIRECT_PROMPT_INJECTION]: The 'Phase 3 — Visual Review' involves the agent using a tool to read the contents of a generated PNG file. If the diagram labels or structures are influenced by untrusted user input, they could contain text specifically crafted to override the agent's instructions during the 'refinement' stage. Evidence includes:
Ingestion points: Reading /tmp/diagram.png via a Read tool.
Boundary markers: None identified for the image reading phase.
Capability inventory: Subprocess calls to node and draw.io binary; file write access to /tmp.
Sanitization: The kernel uses escapeXml for XML assembly, but there is no semantic sanitization of the labels before they are 'read' back by the agent visually.

drawio