ai-drawio
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill starts a local web server using
python -m http.server 8765. - Evidence: Found in the 'Implementation Steps' section of SKILL.md.
- Context: While used for the intended purpose of rendering the diagram, this command starts a server that listens on all interfaces by default, which is an insecure configuration for an agent skill.
- DATA_EXFILTRATION (MEDIUM): By serving the current directory via HTTP, the skill risks exposing local files.
- Evidence: Lack of directory isolation or specific file path restrictions in the server command.
- Risk: If the agent's workspace contains sensitive files such as
.env,.aws/credentials, or configuration secrets, they become accessible to any user or process on the same network while the server is active. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) resulting in Cross-Site Scripting (XSS).
- Ingestion points: User-provided text for diagram requests is used to populate
DIAGRAM_DESCRIPTIONandDIAGRAM_TITLEplaceholders in the HTML template (SKILL.md). - Boundary markers: Absent. User input is interpolated directly into HTML tags (
<h1>,<p>). - Capability inventory: The skill possesses file-write capabilities (HTML), network server initialization, and browser automation to navigate to the locally hosted file.
- Sanitization: There is no evidence of HTML escaping or sanitization of the user-controlled strings before they are written to the file.
- EXTERNAL_DOWNLOADS (SAFE): The skill references an external diagram viewer in an iframe.
- Evidence:
https://viewer.diagrams.net/is used in the HTML iframe source. - Context: This is the legitimate viewer service for diagrams.net/draw.io and is considered a trustworthy external reference for its stated purpose.
Audit Metadata