The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill requires the installation and use of @swiftlysingh/excalidraw-cli from the public NPM registry. This package originates from an external individual account rather than a trusted organization or well-known service, posing a supply chain risk.
[REMOTE_CODE_EXECUTION]: Instructions recommend using npx to run the CLI tool. This pattern fetches and executes code from the internet at runtime, which can lead to the execution of malicious code if the remote package is compromised or substituted.
[COMMAND_EXECUTION]: The skill instructs the AI agent to build and execute shell commands using DSL strings generated from user descriptions. Specifically, the --inline flag takes user-influenced content directly into a shell string. This creates a surface for command injection if the user's input contains shell metacharacters (e.g., backticks, semicolons, or dollar signs) that the agent fails to escape before execution.
[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted user descriptions to generate DSL or DOT diagrams. There is a risk that a user could provide a description designed to trick the agent into generating a DSL that contains malicious shell commands or exploits vulnerabilities in the underlying CLI tool's parser. No explicit sanitization or validation steps are provided in the instructions to the agent.

Excalidraw Flowchart