Skills
skills/psylch/excalidraw-export-skill/excalidraw-export/Gen Agent Trust Hub

excalidraw-export

Pass

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/export.py script executes external binaries including resvg and Google Chrome using subprocess.run to perform image rendering. These calls use list-based argument passing, which is a secure practice to prevent shell injection, and are necessary for the skill's stated purpose.
  • [EXTERNAL_DOWNLOADS]: The scripts/setup.sh script installs standard Python packages (fonttools, brotli) via pip and the resvg utility via Homebrew. These operations target official package registries and are documented for the user.
  • [DATA_EXFILTRATION]: The skill sends generated diagram data to https://kroki.io via HTTP POST requests in scripts/export.py. This is a well-known service used to render Excalidraw JSON into SVG format, and the data transfer is the intended core functionality of the skill.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 31, 2026, 07:10 PM