mermaid
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/check_mermaid.pyscript downloads and installs thenodeenvpackage from PyPI. It subsequently usesnodeenvto download a specific version of the Node.js runtime from its official source (nodejs.org). Additionally, it usesnpxto fetch and execute@mermaid-js/mermaid-clifrom the official NPM registry. - [COMMAND_EXECUTION]: The script uses the
subprocess.runmethod to execute various environment management and validation tools, includinguv,pip,nodeenv, andnpx. These commands are executed using list-based arguments, which is a secure practice that prevents shell injection vulnerabilities. - [DATA_EXPOSURE]: The script creates and maintains a cache directory in the user's local application data or cache folder (
~/.cache/creative-writing-skills/mermaid-validator) to store the Node.js runtime and associated tools. This is a standard and transparent behavior for development utilities. - [REMOTE_CODE_EXECUTION]: The skill uses
npx --yes @mermaid-js/mermaid-clito perform diagram validation. While this involves fetching and running remote code, it targets a well-known, established package from the official NPM registry for a clearly defined functional purpose.
Audit Metadata