Excalidraw Generation
Audited by Socket on Feb 15, 2026
1 alert found:
Security[Skill Scanner] Backtick command substitution detected All findings: [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The Excalidraw Generation skill is functionally coherent: its capabilities align with its stated purpose of creating, validating, saving, and rendering Excalidraw JSON. The main security concern is the enforced automatic execution of a local render script that installs third-party tools and browser binaries — this introduces a supply-chain risk because it causes network downloads and executes code obtained remotely. There are no hardcoded secrets or obfuscated code in the skill spec itself, and no direct evidence of malicious behavior. Verdict: SUSPICIOUS (not malicious) due to the high-risk operation of running an install-and-render script without integrity checks and the reliance on an environment variable path that could be manipulated. Treat the render script and its installed dependencies as sensitive supply-chain components that must be validated before execution. LLM verification: This skill's code itself does not contain obvious malware: no network exfiltration, no hard-coded secrets, no dynamic eval or obfuscation. However, it enforces mandatory execution of a local render script located via CLAUDE_PLUGIN_ROOT. That requirement elevates the supply-chain and execution risk: if the runtime environment or the script path can be controlled or modified by an attacker, arbitrary code could run during normal skill use. The skill is otherwise coherent and proportionate to its p