registry  /  agentic-mermaid  /  0.1.1

agentic-mermaid@0.1.1

Agentic Mermaid: render, verify, and safely edit Mermaid diagrams as ASCII, PNG, SVG, or structured agent workflows — with composable styles (hand-drawn, excalidraw, watercolor, or your own as JSON).

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `am init-agent` or starts `agentic-mermaid-mcp`; install does not trigger either.
Impact
Can alter selected repo agent files or expose local rendering/code-mode capabilities; no autonomous persistence, credential theft, or exfiltration confirmed.
Mechanism
User-invoked agent configuration setup and locally bound MCP rendering service
Rationale
Static source inspection does not support the scanner's malicious verdict. However, the explicit CLI command modifies AI-agent control-surface files in consumer repositories, which warrants a warning under the stated policy.
Evidence
package.jsonsrc/cli/run-entrypoint.tssrc/cli/index.tssrc/cli/init-agent.tssrc/mcp/mcp-cli.tssrc/mcp/server.tssrc/mcp/sandbox.tssrc/mcp/artifacts.ts
Network endpoints2
agentic-mermaid.devfonts.googleapis.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `am init-agent` writes/updates `AGENTS.md`, `skills/agentic-mermaid-diagram-workflow/SKILL.md`, and `.mcp.json` in a selected consumer repo.
  • `src/mcp/server.ts` exposes an optional HTTP/SSE MCP server that executes submitted JavaScript in a VM sandbox.
  • `src/mcp/artifacts.ts` writes rendered artifacts to a local managed directory and removes its expired tracked files.
Evidence against
  • `package.json` has only `prepublishOnly`; no `preinstall`, `install`, or `postinstall` hook.
  • `src/cli/index.ts` invokes setup only for explicit `init-agent`; `--dir` selects its target.
  • No source `fetch`/HTTP-client exfiltration path found; URLs are documentation, local server URLs, or SVG font imports.
  • `src/mcp/sandbox.ts` removes `fetch`, `process`, `require`, `eval`, `Function`, and dynamic-code globals from the agent VM.
  • `spawnSync` is limited to explicit CLI preview opening via `AM_OPEN_COMMAND` or platform opener.
  • Bidi scan found only emoji ZWJ occurrences, not Trojan Source control characters.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 186 file(s), 8.00 MB of source, external domains: agentic-mermaid.dev, fonts.googleapis.com, github.com, llmstxt.org, www.w3.org

Source & flagged code

7 flagged · loading source
dist/am.jsView file
7305contains invisible/control Unicode U+FEFF (zero width no-break space) FRONTMATTER_REGEX2 = /^<U+FEFF>?\s*---\s*\r?\n([\s\S]*?)\r?\n\s*---\s*(?:\r?\n|$)/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/am.jsView on unpkg · L7305
40233import { readFileSync as readFileSync3, existsSync as existsSync3, writeFileSync as writeFileSync2, mkdtempSync, watch } from "fs"; L40234: import { spawnSync } from "child_process"; L40235: import { join as join4, resolve } from "path";
High
Child Process

Package source references child process execution.

dist/am.jsView on unpkg · L40233
40Cross-file remote execution chain: dist/am.js spawns dist/index.js; helper contains network access plus dynamic code execution. L40: text: processed.lines.join("\n"), L41: body: processed.body, L42: lines: processed.lines, ... L409: } L410: return JSON.parse(valueText); L411: } catch { ... L7921: const fontImports = embedFontImport ? [ L7922: ...isPlainFontFamily(font) ? [`@import url('https://fonts.googleapis.com/css2?family=${encodeURIComponent(font)}:wght@400;500;600;700&amp;display=swap');`] : [], L7923: ...hasMonoFont ? [`@import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&amp;display=swap');`] : [] ... L15516: if (proc) { L15517: if (!proc.stdout?.isTTY) { L15518: return "none";
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/am.jsView on unpkg · L40
40text: processed.lines.join("\n"), L41: body: processed.body, L42: lines: processed.lines, ... L409: } L410: return JSON.parse(valueText); L411: } catch { ... L7921: const fontImports = embedFontImport ? [ L7922: ...isPlainFontFamily(font) ? [`@import url('https://fonts.googleapis.com/css2?family=${encodeURIComponent(font)}:wght@400;500;600;700&amp;display=swap');`] : [], L7923: ...hasMonoFont ? [`@import url('https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500&amp;display=swap');`] : [] ... L15516: if (proc) { L15517: if (!proc.stdout?.isTTY) { L15518: return "none";
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/am.jsView on unpkg · L40
38894try { L38895: new Function(`return ( L38896: ${stripped}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/am.jsView on unpkg · L38894
dist/agent.jsView file
Trigger-reachable chain: manifest.exports -> dist/agent.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/agent.jsView on unpkg
src/cli/index.tsView file
matchType = previous_version_dangerous_delta matchedPackage = agentic-mermaid@0.1.0 matchedIdentity = npm:YWdlbnRpYy1tZXJtYWlk:0.1.0 similarity = 0.817 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli/index.tsView on unpkg

Findings

3 Critical3 High4 Medium6 Low
CriticalTrojan Source Unicodedist/am.js
CriticalTrigger Reachable Dangerous Capabilitydist/agent.js
CriticalPrevious Version Dangerous Deltasrc/cli/index.ts
HighChild Processdist/am.js
HighShell
HighCross File Remote Execution Contextdist/am.js
MediumUnsafe Vm Contextdist/am.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/am.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings