Skills
skills/somtougeh/somto-dev-toolkit/technical-svg-diagrams/Gen Agent Trust Hub

technical-svg-diagrams

Pass

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: LOWEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (LOW): The skill recommends using uvx to download and run cairosvg and pillow from PyPI at runtime. While these are trusted packages from a standard registry, it constitutes an external dependency fetch.
  • COMMAND_EXECUTION (LOW): The <export_to_webp> section provides shell commands (uvx, rm, convert, cwebp) for the agent to execute. If the agent derives the diagram.svg filename from untrusted user input without sanitization, this could lead to local command injection (e.g., a filename like file; touch EXPLOITED.svg).
  • INDIRECT_PROMPT_INJECTION (LOW): The skill processes user-provided diagram requirements to generate SVG content. While SVG is data, malicious user input could attempt to include <script> tags or manipulate the conversion tools, though the risk is minimized by the static templates provided.
  • Ingestion points: User diagram descriptions and requirements used to populate SVG elements.
  • Boundary markers: None present.
  • Capability inventory: File writing (.svg, .webp) and shell command execution via the export section.
  • Sanitization: None specified for filenames or SVG content.
Audit Metadata
Risk Level
LOW
Analyzed
Feb 16, 2026, 07:48 AM