Skills
skills/openclaw/skills/diagrams-generator/Gen Agent Trust Hub

diagrams-generator

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill ingests untrusted data from local files and user input, then interpolates it into a prompt for a sub-agent without sanitization.
  • Ingestion points: Read() calls in Step 2 target .specweave/docs/internal/strategy/auth/spec.md and user-provided keywords in Step 1.
  • Boundary markers: Absent. The loadedContext variable is placed directly into the Task prompt string: Context: ${loadedContext}.
  • Capability inventory: Read, Write, Edit, and Task (subagent delegation).
  • Sanitization: None detected. An attacker who can modify the documentation files can hijack the downstream diagrams-architect agent.
  • Path Traversal (HIGH): The skill uses variables like {module} and {env} to construct file paths for the Write tool without validation.
  • Evidence: In Step 4, the output path is defined as .specweave/docs/internal/architecture/diagrams/{module}/.
  • Risk: If a user or malicious doc file provides a module name like ../../../../, the agent may attempt to write diagram content to arbitrary locations on the filesystem using its Write and Edit permissions.
  • Data Exposure (MEDIUM): The skill is hardcoded to access sensitive internal strategy and authentication documentation.
  • Evidence: Read('.specweave/docs/internal/strategy/auth/spec.md') in Step 2.
  • Risk: Automatically reading authentication specifications and passing them to other agents increases the attack surface for sensitive design data exposure.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 04:45 PM