The Agent Skills Directory

DATA_EXFILTRATION (MEDIUM): Potential Path Traversal in src/lib/detector.ts. The getLocalIconPath function accepts iconRef from the untrusted bpmn_data parameter and joins it to local paths using path.join. Because it only replaces the 'icon_' prefix and does not validate against parent directory references (..), an attacker could potentially probe for the existence of sensitive files elsewhere on the system by checking if they return a valid path for the SVG generator.
COMMAND_EXECUTION (LOW): Over-privileged Toolset. The SKILL.md file requests Bash, glob, and grep permissions. While the provided TypeScript source code does not explicitly invoke these tools via subprocesses, the VISUALIZER_SYSTEM_PROMPT in src/prompt.ts explicitly instructs the agent to 'scan the root directory'. Granting shell-level tools to an agent for a visualization task creates an unnecessary attack surface.
PROMPT_INJECTION (LOW): Indirect Prompt Injection via SVG. In src/lib/generator.ts, the task.name and task.type fields are interpolated directly into the SVG <text> nodes without XML escaping or sanitization.
Ingestion points: bpmn_data parameter in src/index.ts.
Boundary markers: None; content is directly embedded in string templates.
Capability inventory: fs.writeFile is used to save the resulting SVG to the project's output/ directory.
Sanitization: Absent. This allows for 'SVG Injection' where a user could break the XML structure or attempt to include malicious payloads in the rendered output.

visualize-with-libraries