beautiful-mermaid
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/render.tsfile useschild_process.execSyncto execute shell commands for package management. It dynamically callsbun addornpm installbased on the detected runtime environment to ensure thebeautiful-mermaidpackage is available. - [EXTERNAL_DOWNLOADS]: The
ensurePackagefunction inscripts/render.tsdownloads thebeautiful-mermaidpackage from the public NPM registry at runtime. The package is not version-locked, and its integrity is not verified before installation, which could lead to the execution of untrusted code if the registry or package is compromised. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface in
scripts/create-html.ts, where raw SVG content—potentially derived from user-supplied Mermaid code—is interpolated directly into an HTML wrapper without sanitization. This could allow an attacker to embed malicious<script>tags in the diagram code that execute when the agent views the resulting HTML file. - Ingestion points: The Mermaid syntax provided via the
--codeor--inputarguments inrender.ts(as seen inSKILL.mdworkflow). - Boundary markers: None. The content is directly placed inside a
divtag in the HTML template. - Capability inventory: The skill uses
child_process.execSyncfor shell execution and theagent-browserskill for rendering and screenshots. - Sanitization: No escaping or validation is performed on the
svgContentvariable before it is written to the output file.
Audit Metadata