registry  /  agentic-mermaid  /  0.1.0

agentic-mermaid@0.1.0

Agentic Mermaid: render, verify, and safely edit Mermaid diagrams as ASCII, PNG, SVG, or structured agent workflows — with composable styles (hand-drawn, excalidraw, watercolor, or your own as JSON).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `am init-agent` or `agentic-mermaid init-agent`.
Impact
Agents in that repo may follow the added Mermaid workflow and use the package MCP server.
Mechanism
explicit agent config and skill file generation
Rationale
The package contains an explicit agent setup capability, so a warn is appropriate under the agent control-surface policy, but inspection did not find unconsented install-time mutation, exfiltration, remote payload execution, or stealth persistence. Scanner hits for VM, child_process, network, and Unicode are explained by the MCP sandbox, preview opener, documentation/generated guidance URLs, and bundled source text.
Evidence
package.jsonsrc/cli/am-bin.tssrc/cli/index.tssrc/cli/init-agent.tssrc/mcp/mcp-bin.tssrc/mcp/server.tssrc/mcp/sandbox.tssrc/mcp/artifacts.tssrc/agent/trace-log.tsdist/am.jsdist/agentic-mermaid-mcp.jsAGENTS.mdskills/agentic-mermaid-diagram-workflow/SKILL.md.mcp.json
Network endpoints2
agentic-mermaid.dev/llms.txtagentic-mermaid.dev/agent-instructions.md

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/cli/init-agent.ts writes AGENTS.md, skills/agentic-mermaid-diagram-workflow/SKILL.md, and .mcp.json into a chosen repo dir.
  • src/cli/index.ts exposes this only as explicit `am init-agent [--dir] [--force]`, not install/import-time behavior.
  • Generated .mcp.json config registers `npx -y --package agentic-mermaid agentic-mermaid-mcp` for agents.
Evidence against
  • package.json has no preinstall/install/postinstall; only prepublishOnly build runs for publisher workflow.
  • src/cli/am-bin.ts only dispatches CLI args; src/mcp/mcp-bin.ts only starts the MCP CLI when invoked.
  • src/mcp/sandbox.ts disables eval/Function/process/require/fetch and uses node:vm timeout/codeGeneration guards for user-supplied Code Mode.
  • src/mcp/server.ts HTTP transport defaults to 127.0.0.1 and requires auth-token for non-loopback bind.
  • src/cli/index.ts child_process spawnSync is limited to user-requested preview open command.
  • No credential harvesting or outbound exfiltration path found in inspected entrypoints.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 181 file(s), 7.74 MB of source, external domains: agentic-mermaid.dev, fonts.googleapis.com, github.com, llmstxt.org, www.w3.org

Source & flagged code

6 flagged · loading source
dist/am.jsView file
6920contains invisible/control Unicode U+FEFF (zero width no-break space) var FRONTMATTER_REGEX2 = /^<U+FEFF>?\s*---\s*\r?\n([\s\S]*?)\r?\n\s*---\s*(?:\r?\n|$)/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/am.jsView on unpkg · L6920
190import { readFileSync as readFileSync2, existsSync as existsSync3, writeFileSync as writeFileSync2, mkdtempSync, watch } from "fs"; L191: import { spawnSync } from "child_process"; L192: import { join as join3, resolve } from "path";
High
Child Process

Package source references child process execution.

dist/am.jsView on unpkg · L190
6Cross-file remote execution chain: dist/am.js spawns dist/index.js; helper contains network access plus dynamic code execution. L6: L7: // package.json L8: var require_package = __commonJS({ ... L47: type: "git", L48: url: "git+https://github.com/adewale/agentic-mermaid.git" L49: }, ... L190: import { readFileSync as readFileSync2, existsSync as existsSync3, writeFileSync as writeFileSync2, mkdtempSync, watch } from "fs"; L191: import { spawnSync } from "child_process"; L192: import { join as join3, resolve } from "path"; ... L202: text: processed.lines.join("\n"), L203: body: processed.body, L204: lines: processed.lines,
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/am.jsView on unpkg · L6
src/mcp/facade.tsView file
548// eslint-disable-next-line no-new-func L549: new Function(`return (\n${stripped}\n)`) L550: return [expressionWrapped]
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/mcp/facade.tsView on unpkg · L548
src/mcp/sandbox.tsView file
131if (typeof encoded !== 'string') return [] L132: const value = JSON.parse(encoded) L133: return Array.isArray(value) ? value.filter(v => typeof v === 'string') : []
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

src/mcp/sandbox.tsView on unpkg · L131
dist/agent.jsView file
Trigger-reachable chain: manifest.exports -> dist/agent.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/agent.jsView on unpkg

Findings

2 Critical3 High4 Medium6 Low
CriticalTrojan Source Unicodedist/am.js
CriticalTrigger Reachable Dangerous Capabilitydist/agent.js
HighChild Processdist/am.js
HighShell
HighCross File Remote Execution Contextdist/am.js
MediumUnsafe Vm Contextsrc/mcp/sandbox.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalsrc/mcp/facade.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings