AgentReadyHomeAgent Listing

← drawio-skill

drawio-skill — agentic threat model

8.5AIVSS 8.5 · High

The drawio-skill agent presents a high local security risk due to its execution of local Python scripts and native CLI binaries on the host system, which could be exploited via prompt injection from untrusted input files like Terraform or Kubernetes manifests.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.8AARS uplift 0.68Factor sum 3.1/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.40
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.50
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses an LLM to generate draw.io XML and a vision model for self-checking. Vulnerable to prompt injection via malicious input files (e.g., comments in Terraform/K8s manifests) designed to hijack the XML structure or command parameters.

L2 · Data Operations✓ mapped

Processes local files (Terraform/K8s manifests) to generate diagrams. Vulnerable to local file disclosure if an attacker tricks the agent into reading sensitive configuration files and rendering their contents into the output diagram.

L3 · Agent Frameworks✓ mapped

Orchestrates the generation of XML, execution of a local Python script (autolayout.py), and invocation of the draw.io CLI. Vulnerable to insecure tool integration if LLM-generated inputs are passed to the shell or Python interpreter without strict sanitization.

L4 · Deployment & Infrastructure✓ mapped

Runs directly on the host system, invoking native CLI binaries and Python scripts. Lacks sandboxing, meaning any successful command injection or remote code execution vulnerability results in direct compromise of the host environment.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in logging, guardrails, or evaluation frameworks are mentioned for monitoring the execution of the CLI or Python scripts.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of authentication, authorization, or compliance policies governing which files the skill can access or which CLI commands it can run.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The skill operates as a standalone local tool and does not appear to interact with other agents or marketplaces.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).