beautiful-mermaid
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (MEDIUM): The utility script
scripts/mermaid.mjsprovides primitives for arbitrary file system interaction without path validation or sandboxing. - Evidence:
readFileSync(input, 'utf8')inscripts/mermaid.mjsreads data from any path supplied via the first positional argument or-iflag. - Evidence:
writeFileSync(output, result)inscripts/mermaid.mjswrites the rendering result to any path supplied via the-oor--outputflag. - Risk: An attacker could use indirect or direct prompt injection to trick the agent into reading sensitive configuration files (e.g.,
.env, SSH keys) or overwriting system files using this tool. - [Indirect Prompt Injection] (LOW): The skill processes external data (Mermaid diagrams) which serves as an ingestion point for untrusted content.
- Ingestion points:
scripts/mermaid.mjs(via file input or stdin). - Boundary markers: None. The script does not wrap input or warn the agent about potential instructions inside diagrams.
- Capability inventory: File system read/write access.
- Sanitization: No sanitization of Mermaid syntax or file paths is performed.
- [Unverifiable Dependencies] (SAFE): The skill uses standard packages from the npm registry.
- Finding: Dependencies are resolved to known packages on
registry.npmjs.org.
Audit Metadata