sf-diagram-mermaid
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) by ingesting data from external Salesforce organizations.
- Ingestion points: Metadata (record counts and sharing settings) retrieved via the
query-org-metadata.pyscript which calls the Salesforce CLI. - Boundary markers: Not explicitly defined in the prompts that process the metadata for diagram generation.
- Capability inventory: The skill can execute local Python scripts and write diagram files to the
/tmpdirectory. - Sanitization: Metadata is retrieved as structured JSON, but the skill lacks specific delimiters to prevent the agent from following instructions if they were maliciously embedded in Salesforce object descriptions.
- [COMMAND_EXECUTION]: The skill uses local Python helper scripts (
query-org-metadata.pyandmermaid_preview.py) to perform its tasks. These scripts use standard Python libraries to interact with the Salesforce CLI and provide a local HTTP server for diagram previews. This behavior is transparent and aligned with the skill's stated purpose. - [EXTERNAL_DOWNLOADS]: The preview server template references the Mermaid.js library from a well-known CDN (jsDelivr). This is a standard practice for loading web dependencies and is considered safe in this context.
Audit Metadata