drawing-diagrams
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses a local Python script (
mermaid-encode.py) to process user-provided diagram code. Analysis of the script confirms it only uses Python standard libraries (argparse,base64,json,sys,zlib) and does not perform any network operations or file system access beyond reading from stdin. - [COMMAND_EXECUTION]: The skill instructions direct the agent to execute a shell command to pipe diagram code into the local encoder script and then to the system's browser opener (
openorxdg-open). This is the intended primary purpose of the skill and does not involve any privileged escalation or dangerous shell patterns. - [EXTERNAL_DOWNLOADS]: No external packages or remote scripts are downloaded. The skill relies entirely on the provided local script and the user's pre-installed Python 3 environment.
- [DATA_EXFILTRATION]: The skill generates URLs for
mermaid.live. These URLs contain the diagram state encoded in the fragment identifier (after the#), which is processed client-side by the mermaid.live web application. No data is sent to a third-party server by the skill itself; the user explicitly chooses to open the URL in their own browser.
Audit Metadata