excalidraw

The skill consists of two markdown files (README.md and SKILL.md) that provide instructions and guidelines for an AI agent on how to handle Excalidraw files. There are no executable scripts, no external dependencies, and no direct commands that could lead to privilege escalation, data exfiltration, or persistence. The primary purpose of the skill is to instruct the main agent to delegate the processing of verbose Excalidraw JSON files to subagents to conserve context budget. The instructions are clear, repetitive, and emphasize avoiding direct interaction with the raw JSON.

Prompt Injection: The files contain strong instructional language (e.g., "NEVER:", "ALWAYS:", "Important:", "The Iron Law"). However, these are intended to guide the agent's operational behavior within the scope of the skill (efficient Excalidraw handling), not to bypass safety guidelines or system prompts. There are no patterns indicative of malicious prompt injection attempts (e.g., "Ignore previous instructions", "You are now unrestricted").

Data Exfiltration, Privilege Escalation, Persistence, Unverifiable Dependencies, Time-Delayed Attacks: None of these threat categories are applicable as the skill does not involve any code execution, file system manipulation beyond reading/writing Excalidraw files (which is delegated to subagents and not directly performed by the main agent based on these instructions), network operations, or external package installations.

Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in either file.

Metadata Poisoning: The name and description fields in SKILL.md are clean and accurately reflect the skill's purpose without any hidden malicious instructions.

Indirect Prompt Injection: The skill describes a process where subagents will read and potentially modify Excalidraw JSON files. If these Excalidraw files originate from untrusted sources, they could theoretically contain data crafted to influence the subagent's behavior (e.g., by embedding instructions in text fields within the diagram data). However, this is an inherent risk of any skill that processes external, potentially untrusted, data. The skill itself does not introduce this vulnerability but rather describes a pattern for handling such data efficiently. The instructions also suggest the subagent return "text-only summary (not raw JSON)", which helps mitigate the risk of malicious JSON structure affecting the main agent. This is noted as an informational risk, not a direct vulnerability of the skill's instructions.

In conclusion, the skill is a set of well-defined instructions for agent behavior and does not contain any malicious patterns or direct security vulnerabilities.