diagrams-generator

[Skill Scanner] Backtick command substitution detected This skill appears coherent and aligned with its stated purpose: coordinating diagram generation by reading optional local specs, delegating generation to a diagrams-architect agent, and saving the returned Mermaid files. No direct malicious code, obfuscation, hardcoded secrets, or network exfiltration to suspicious domains is present. The main security concern is the trust boundary: local repository files read into the Task prompt will be transmitted to the subagent. If the subagent is untrusted or remote, this can leak sensitive internal documentation. Restricting read/write paths, adding sanitization, and auditing Task calls will reduce that risk. LLM verification: No explicit malware or obfuscated payloads were found in the provided skill. The main security risk is that the coordinator reads internal project/spec files and forwards their full contents to a subagent via Task(...) without demonstrating redaction, filtering, or a clear trust boundary. If the subagent is untrusted or routes requests externally, this behavior can leak sensitive internal information (architecture details, potentially secrets embedded in docs). Recommendation: treat this skill a