drawio-skill — agentic threat model
The drawio-skill agent presents a high local security risk due to its execution of local Python scripts and native CLI binaries on the host system, which could be exploited via prompt injection from untrusted input files like Terraform or Kubernetes manifests.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses an LLM to generate draw.io XML and a vision model for self-checking. Vulnerable to prompt injection via malicious input files (e.g., comments in Terraform/K8s manifests) designed to hijack the XML structure or command parameters.
Processes local files (Terraform/K8s manifests) to generate diagrams. Vulnerable to local file disclosure if an attacker tricks the agent into reading sensitive configuration files and rendering their contents into the output diagram.
Orchestrates the generation of XML, execution of a local Python script (autolayout.py), and invocation of the draw.io CLI. Vulnerable to insecure tool integration if LLM-generated inputs are passed to the shell or Python interpreter without strict sanitization.
Runs directly on the host system, invoking native CLI binaries and Python scripts. Lacks sandboxing, meaning any successful command injection or remote code execution vulnerability results in direct compromise of the host environment.
Not certain from the listing — No built-in logging, guardrails, or evaluation frameworks are mentioned for monitoring the execution of the CLI or Python scripts.
Not certain from the listing — There is no mention of authentication, authorization, or compliance policies governing which files the skill can access or which CLI commands it can run.
Not certain from the listing — The skill operates as a standalone local tool and does not appear to interact with other agents or marketplaces.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).