pretty-mermaid
Warn
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The README.md indicates that dependencies are auto-installed on the first run. This involves installing 'beautiful-mermaid' from a non-trusted repository without explicit manual verification step.
- [COMMAND_EXECUTION] (LOW): The skill is designed to execute local Node.js scripts (
render.mjs,batch.mjs,themes.mjs) to perform rendering. While expected for a rendering tool, this capability requires the underlying code to be verified for safe file and command handling. - [PROMPT_INJECTION] (MEDIUM): The skill ingests untrusted .mmd files as input and writes to the local filesystem. This creates an indirect prompt injection surface where a maliciously crafted diagram could attempt to manipulate agent output or perform unauthorized file writes.
- [NO_CODE] (INFO): The primary logic scripts referenced in the documentation and package.json were not included in the provided files, preventing a comprehensive review of the code's behavior.
Audit Metadata