Skills
skills/modu-ai/smart-cowork-life/svg-diagram/Gen Agent Trust Hub

svg-diagram

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The provided script for converting Mermaid syntax to SVG uses child_process.execSync to run shell commands. The command string is constructed by directly interpolating values from an options object, specifically the bgColor, width, and height properties. This pattern is susceptible to command injection if an attacker can control these parameters and include shell metacharacters such as semicolons or pipes.
  • [EXTERNAL_DOWNLOADS]: The skill utilizes npx to execute the Mermaid CLI, which may trigger the download and execution of the @mermaid-js/mermaid-cli package from the NPM registry at runtime. Additionally, the SVG templates and processing logic include @import rules that fetch font resources from the external CDN https://cdn.jsdelivr.net/gh/orioncactus/pretendard/.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 03:41 PM