nsfc-schematic
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes external binaries via
subprocess.runinscripts/render_schematic.py. Specifically, it runs thedrawiocommand. The path to this binary is configurable viarenderer.drawio.cli_pathinconfig.yamlorconfig_local.yaml. Although the script verifies the file's existence, this mechanism allows an attacker who can modify the configuration to execute arbitrary binaries present on the system. - [DATA_EXFILTRATION]: In the 'Nano Banana' mode, the skill communicates with the Gemini API. The base URL for these requests is configurable via the
GEMINI_BASE_URLenvironment variable. If an attacker directs this to a malicious endpoint, theGEMINI_API_KEY(also loaded from the environment) would be transmitted to that untrusted server during API calls or connectivity checks. - [EXTERNAL_DOWNLOADS]: The skill can trigger the installation of the
drawiodesktop application usingHomebrewon macOS if theauto_install_macossetting is enabled. It also downloads generated image data from the configured Gemini API endpoint. - [PROMPT_INJECTION]: The skill processes untrusted LaTeX (
.tex) files to extract research terms and plan schematic structures (Category 8). This represents a significant attack surface where maliciously crafted LaTeX content could influence the AI agent's planning and generation phases, potentially bypassing intended constraints or manipulating the output spec. - [SAFE]: The skill implements consistent path safety checks using
is_safe_relative_pathto prevent directory traversal when accessing local resources like color palettes and template models.
Audit Metadata