moai-library-mermaid
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Remote Code Execution] (HIGH): The 'allowed-tools' configuration in 'SKILL.md' includes 'Bash(npx:*)', which allows the AI agent to execute arbitrary Node.js packages from the npm registry without explicit version pinning or source verification. This allows for the execution of unverified remote code at runtime.
- [Command Execution] (MEDIUM): The skill utilizes 'Bash(mmdc:*)' to run the Mermaid CLI. Broad shell permissions without specific argument constraints increase the risk of command injection if the input Mermaid code is maliciously crafted.
- [External Downloads] (LOW): The documentation in 'reference.md' refers to numerous external Python and Node.js libraries (e.g., 'mermaid-py', 'pypyrus', 'diagrams') and links to third-party tools. These represent an external dependency chain that is not fully locked down within the skill's own code.
- [Prompt Injection] (LOW): The skill is vulnerable to indirect prompt injection via the processing of Mermaid diagram syntax. 1. Ingestion points: 'examples.md' and user-provided diagram code. 2. Boundary markers: Absent. 3. Capability inventory: 'Bash' and 'npx' execution. 4. Sanitization: Absent. Malicious instructions could be embedded in diagram comments or labels to influence agent behavior.
Recommendations
- AI detected serious security threats
Audit Metadata