Is a-anand-91119/excalidraw safe?
https://github.com/openclaw/skills/tree/main/skills/a-anand-91119/excalidraw
The excalidraw skill is a well-implemented diagram renderer with no prompt injection, no credential access, and clean install-time network activity confined to GitHub. The primary security consideration is architectural rather than malicious: the skill requires the agent to execute third-party JavaScript (including pre-compiled Rust native binaries) on every diagram request, which expands the trusted execution boundary beyond a purely instructional skill. The render.js code itself is clean, readable, and consistent with its stated purpose.
Category Scores
Findings (8)
MEDIUM Pre-compiled Native Rust Binaries Included via @resvg/resvg-js -15 ▶
The @resvg/resvg-js package ships platform-specific pre-compiled Rust/NAPI native add-ons (e.g., @resvg/[email protected]). These execute with the full permissions of the agent process. Unlike JavaScript, native binaries cannot be trivially audited for behavior. Integrity is partially mitigated by SHA-512 hashes recorded in package-lock.json, which npm verifies on install, but the binaries themselves are opaque trust artifacts from an external publisher.
MEDIUM Agent Required to Execute Third-Party JavaScript on Every Diagram Request -10 ▶
SKILL.md instructs the agent to run 'node
LOW setup.sh Downloads Font Files From External CDNs -10 ▶
The setup script fetches Virgil.woff2 from cdn.jsdelivr.net (pinned to @excalidraw/[email protected]) and CascadiaCode-2404.23.zip from github.com/microsoft/cascadia-code releases. While fonts are not executable and the URLs are version-pinned, these external dependencies could be tampered with via CDN compromise or a maintainer pushing a new patch to the same version tag.
LOW setup.sh Executes Shell Commands Including curl, python3, and npm -8 ▶
The setup script chains curl (external downloads), python3 with fontTools (font format conversion), npm install (package fetching), and unzip. Although all operations appear benign and purposeful for font setup, running a bash script sourced from an untrusted publisher in a production agent environment represents execution surface that warrants review before use.
LOW User-Controlled JSON Processed Through Multi-Layer Rendering Pipeline -15 ▶
render.js accepts a file path via argv[2] and routes its JSON content through jsdom (DOM construction), roughjs (path generation), and resvg-js (SVG-to-PNG rasterization). A specially crafted excalidraw JSON could theoretically trigger vulnerabilities in these libraries. Text values are assigned to tspan.textContent (not innerHTML), preventing XSS-style injection, but the overall rendering surface is non-trivial.
INFO No npm Lifecycle Hooks Present (Positive) 0 ▶
package.json contains no 'scripts' field and therefore has no preinstall, postinstall, prepare, or other lifecycle hooks. npm install of this skill does not automatically execute arbitrary code beyond resolving declared dependencies.
INFO Install Network Activity Limited to GitHub Clone 0 ▶
The only external TCP connection during the entire install phase was to 140.82.121.3:443 (a known GitHub IP). No connections to unexpected hosts, no DNS lookups for attacker-controlled domains, no data exfiltration attempts observed in the packet capture.
INFO Canary File Reads Attributed to Oathe Audit Infrastructure 0 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) appear in auditd PATH records twice: items 259-264 at timestamp 1771653435 (6 seconds before git clone began at 1771653441) and items 1460-1465 at timestamp 1771653452 (5 seconds after skill copy completed). Both batches are sequential block reads consistent with Oathe's pre/post-install integrity baseline logic. All files are confirmed unmodified by the canary integrity check.