drawio

The skill is broadly coherent with its stated purpose: it centers on generating and editing diagrams via an embedded MCP server and a real-time browser preview. The primary security concerns relate to the supply-chain risk of installing an external MCP server via npx and the potential data exposure from loading draw.io assets and diagram content through an external embedding host. No credentials or sensitive local files are indicated. Overall, the footprint is largely benign and purpose-aligned, but the use of an unverifiable external MCP server via npx and external embedding resources warrants a cautious, suspicious-leaning assessment due to supply-chain and data-flow surface area.