The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by reading untrusted content from an external Excalidraw canvas and using it to drive agent decisions and actions.
Ingestion Points: Data enters the agent context via get_resource, query_elements, and the GET /api/elements REST API endpoints.
Boundary Markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between diagram metadata and malicious instructions embedded in shape text or labels.
Capability Inventory: The skill has the ability to execute local shell commands (node scripts/*.cjs), write to the local file system (export-elements.cjs), and perform destructive canvas operations (clear-canvas.cjs).
Sanitization: Absent. The skill does not describe any validation or filtering of content retrieved from the canvas before it is processed or used in script arguments.
Command Execution (HIGH): The workflow encourages the agent to execute Node.js scripts with complex JSON strings passed as command-line arguments. If the agent populates the --data flag with content retrieved from the canvas, it creates a risk of command injection or malicious payload delivery.
Evidence: node scripts/create-element.cjs --data '{...}' and node scripts/update-element.cjs --id <id> --data '{...}' in references/cheatsheet.md.
Data Exposure (LOW): The skill interacts with a local service (http://localhost:3000). While this is standard for the described purpose, it represents a internal network access point that could be abused if the EXPRESS_SERVER_URL is redirected to other internal services.

excalidraw-mcp