Trust Assessment
beautiful-mermaid received a trust score of 18/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via unsanitized Mermaid code, Command Injection via unsanitized filenames, Data Exfiltration and Arbitrary Code Execution via `agent-browser` with `file://` scheme.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on June 1, 2026 (commit 9b0e00ad). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unsanitized Mermaid code The skill instructs the agent to execute shell commands (`bun run`, `npx tsx`, `deno run`) with user-provided or LLM-generated Mermaid code passed directly via the `--code` argument. If the Mermaid code contains shell metacharacters (e.g., backticks, semicolons, `$(...)`), an attacker can inject and execute arbitrary shell commands on the host system. The skill explicitly states, 'If the user provides a description rather than code, generate valid Mermaid syntax,' which means the LLM will construct this input, making it a direct vector for prompt injection leading to command injection. All user-provided or LLM-generated input that is passed to shell commands must be strictly sanitized or properly escaped. For `--code` arguments, ensure that any shell metacharacters are escaped or that the input is passed via stdin if the script supports it, rather than directly in the command line. Consider using a dedicated library for command execution that handles escaping automatically. | Static | SKILL.md:56 | |
| CRITICAL | Data Exfiltration and Arbitrary Code Execution via `agent-browser` with `file://` scheme The skill instructs `agent-browser` to open a locally generated HTML file (`diagram.html`) using the `file://` scheme. If the Mermaid diagram code (which is user-controlled or LLM-generated) can embed arbitrary HTML or JavaScript, this JavaScript will be executed by `agent-browser` with the privileges typically granted to `file://` URLs. This can allow the injected script to read local files (e.g., `file:///etc/passwd`, `file:///home/user/.ssh/id_rsa`) and exfiltrate them over the network (if `agent-browser` allows network access for `file://` contexts, which is common). This constitutes a severe data exfiltration and arbitrary code execution vulnerability. 1. **Strictly sanitize Mermaid input:** Ensure that the Mermaid code cannot embed arbitrary HTML or JavaScript. If the rendering library allows HTML injection, it must be disabled or sanitized. 2. **Sandbox `agent-browser`:** If possible, configure `agent-browser` to run in a highly restricted sandbox, preventing network access or local file system access for opened `file://` URLs. 3. **Avoid `file://` for untrusted content:** If the content of `diagram.html` cannot be guaranteed safe, avoid opening it directly with `file://`. Consider serving it via a local HTTP server with strict Content Security Policy (CSP) headers, or rendering it in a headless browser environment that is isolated from the host filesystem and network. | Static | SKILL.md:80 | |
| HIGH | Command Injection via unsanitized filenames The skill constructs filenames (e.g., for `--output` in `render.ts`, `--svg` and `--output` in `create-html.ts`, and the `rm` command) based on user input or derived values. If an attacker can inject shell metacharacters into these filenames, they could execute arbitrary commands. For example, an output filename like `diagram; rm -rf /;` could lead to critical system compromise. All filenames derived from user input or potentially attacker-controlled values must be strictly validated and sanitized to prevent shell metacharacter injection. Only allow alphanumeric characters, hyphens, and underscores, or use a robust path sanitization library. | Static | SKILL.md:56 | |
| MEDIUM | Excessive Permissions granted to Deno script The `deno run` command explicitly requests broad permissions (`--allow-read`, `--allow-write`, `--allow-net`) for the `scripts/render.ts` script. While some of these might be necessary for rendering (e.g., read input, write output), `--allow-net` is particularly broad. If the `render.ts` script has any vulnerabilities (e.g., path traversal, SSRF, or insecure dependency loading), these broad permissions significantly increase the potential impact of an exploit, allowing unauthorized file access, modification, or network communication. 1. **Principle of Least Privilege:** Review `scripts/render.ts` to determine the absolute minimum set of permissions required. 2. **Restrict network access:** If `--allow-net` is not strictly needed for rendering (e.g., if all resources are local), remove it. If it is needed, restrict it to specific domains or IP addresses. 3. **Restrict file access:** Use more granular Deno permissions like `--allow-read=/path/to/specific/dir` and `--allow-write=/path/to/specific/dir` instead of blanket `--allow-read` and `--allow-write`. 4. **Audit `render.ts`:** Thoroughly audit the `render.ts` script for vulnerabilities like path traversal, SSRF, and insecure dependency handling. | Static | SKILL.md:64 |
Scan History
Embed Code
[](https://skillshield.io/report/a81b0b3d7fadfe04)
Powered by SkillShield