plantuml
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the processing of untrusted markdown and diagram files.
- Ingestion points:
scripts/process_markdown_puml.pyandscripts/resilient_processor.pyingest data from user-provided.mdand.pumlfiles. - Boundary markers: Absent. The scripts extract content based on standard markdown code block delimiters without additional security boundaries.
- Capability inventory: The skill executes subprocess commands (
java -jar plantuml.jar) and has full read/write access to the local workspace. - Sanitization: Absent. The scripts do not sanitize PlantUML preprocessor directives such as
!includeor!includeurl, which can be exploited to read sensitive local files or perform server-side request forgery (SSRF) if the environment is not restricted. - [COMMAND_EXECUTION]: Multiple scripts (
scripts/convert_puml.py,scripts/check_setup.py,scripts/resilient_processor.py) use thesubprocessmodule to execute system commands includingjavaanddot(Graphviz). While they correctly use argument lists instead of shell strings to mitigate injection, they provide a broad capability to execute any code packaged within the providedplantuml.jarfile. - [EXTERNAL_DOWNLOADS]: The skill documentation (
README.md,references/plantuml_reference.md) instructs users to download theplantuml.jarexecutable from external sources such as SourceForge and the official PlantUML website. While these are well-known and reputable services, they represent unmanaged external dependencies that execute with system privileges.
Audit Metadata