edrawmax-diagram
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses a Python script (
scripts/download_diagram.py) to download PNG and SVG files from remote URLs provided by the EdrawMax API and save them to the local filesystem. - [COMMAND_EXECUTION]: The download utility
scripts/download_diagram.pyexplicitly disables SSL certificate verification (ssl.CERT_NONE) and hostname checking (check_hostname = False). This is a security best-practice violation that allows an attacker to intercept the connection and potentially provide malicious files instead of the intended diagrams (Man-in-the-Middle attack). - [COMMAND_EXECUTION]: The script takes an
--output-dirargument from the agent and usesos.makedirs(..., exist_ok=True)andopen(..., 'wb')to write files. This allows the agent to write files to any directory on the local system for which the process has write permissions. - [SAFE]: The API endpoints utilized by the skill (
api.edrawmax.cn) belong to the verified vendor (Wondershare EdrawMax) and are used for their intended purpose of diagram generation.
Audit Metadata