The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The workflow instructs the agent to execute shell commands (e.g., bun run scripts/render.ts --code "...") where the --code argument is populated with user-supplied content. This pattern is highly vulnerable to shell injection (e.g., using ; or & to append malicious commands) if the agent does not strictly sanitize the input.
[REMOTE_CODE_EXECUTION] (HIGH): The skill documentation explicitly recommends an --allow-install flag for the rendering script. This bypasses typical security boundaries by allowing the script to download and install arbitrary, unverified dependencies from the internet during execution.
[EXTERNAL_DOWNLOADS] (MEDIUM): The use of npx tsx is recommended, which will automatically download and execute the tsx package from the npm registry if it is not already cached locally. This introduces a dependency on an external registry that could be compromised or targeted by typosquatting.
[INDIRECT_PROMPT_INJECTION] (HIGH):
Ingestion points: User-provided Mermaid syntax strings and .mmd files in Step 2.
Boundary markers: None. User data is directly interpolated into command-line arguments.
Capability inventory: The skill has the ability to read/write files, execute arbitrary shell commands via multiple runtimes (Bun, Node, Deno), and control a web browser via agent-browser.
Sanitization: There is no mention of sanitizing or validating the Mermaid code to ensure it does not contain shell metacharacters or browser-based exploits (XSS) before being processed.

beautiful-mermaid