mermaid-tools
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Privilege Escalation (HIGH): The documentation in
references/setup_and_troubleshooting.mdinstructs the user or agent to execute commands withsudoprivileges to modify system package repositories and install software. - Remote Code Execution (HIGH): The setup instructions include a piped remote execution pattern (
wget ... | sudo apt-key add -) which downloads a key from a remote URL and immediately executes a command with it. - External Downloads (LOW): The skill relies on external software including
google-chrome-stableand@mermaid-js/mermaid-cli. Per the [TRUST-SCOPE-RULE], these are from trusted sources (Google), which downgrades the download severity to LOW. - Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted markdown content.
- Ingestion points:
scripts/extract_diagrams.pyreads content from a user-supplied markdown file. - Boundary markers: Absent; the script identifies content using standard markdown code block regex without delimiters or ignore-instructions.
- Capability inventory: The skill possesses the ability to write files to the disk and execute external binaries via
extract-and-generate.sh. - Sanitization: While output filenames are sanitized, the content of the diagram is passed directly to the
mmdcrenderer without sanitization. - Security Control Deactivation (MEDIUM): The
scripts/puppeteer-config.jsonfile explicitly disables the Chrome sandbox (--no-sandbox,--disable-setuid-sandbox), significantly reducing the security profile of the rendering environment.
Recommendations
- AI detected serious security threats
Audit Metadata