excalidraw-diagram-generator
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes external data from Excalidraw icon libraries to enhance diagrams.
- Ingestion points: The agent is instructed to read
libraries/<library-name>/reference.mdand individual icon JSON files located in theicons/subdirectory. These files are typically downloaded by the user from external sources like the Excalidraw library marketplace. - Boundary markers: No explicit delimiters or instructions are provided to the agent to disregard potential natural language commands embedded within the icon metadata or the reference documentation.
- Capability inventory: Across the skill, the agent can execute Python scripts (
add-icon-to-diagram.py,add-arrow.py,split-excalidraw-library.py) which possess file-write and directory-creation capabilities on the local filesystem. - Sanitization: There is no evidence of sanitization or validation of the content within the icon JSON files before they are merged into the user's diagram file or processed by the agent's logic.
- [COMMAND_EXECUTION]: The skill's primary workflow involves the agent executing local Python scripts to perform diagram edits. These scripts take file paths and element names as command-line arguments.
- Scripts:
scripts/add-arrow.py,scripts/add-icon-to-diagram.py, andscripts/split-excalidraw-library.py. - Evidence: The scripts use
sys.argvto ingest parameters such asdiagram_pathandlibrary_path, which are used directly withpathlib.Pathfor file operations includingrename,read, andwrite. Without strict validation of these paths by the agent, there is a risk of path traversal or accidental manipulation of sensitive local files if the agent is misled regarding the target diagram's location.
Audit Metadata