Viz Table

This skill appears to do what it says, but it includes risky runtime behaviors you should consider before installing or using it: - Client-side use of eval(): The SKILL.md instructs the page to compute user-entered formulas via eval(), which can execute arbitrary JavaScript. Replace eval() with a safe expression evaluator (e.g., mathjs) or strictly validate/parse formulas before execution. - Unsanitized data injection / XSS risk: The generated HTML will render the input CSV/JSON into the page. If the implementation inserts data using innerHTML or otherwise fails to escape/encode content, a CSV containing <script> or crafted strings could run code in your browser. Ensure all cell values are escaped (use textContent or proper escaping) and avoid injecting raw HTML. - Remote CDN dependency: The page loads ECharts from jsdelivr.net. That is convenient but introduces a remote network dependency and supply-chain risk. Consider bundling a vetted ECharts build or allowing an offline/local alternative. - Platform-specific open command: The SKILL.md runs `open /tmp/viz-table-output.html` (macOS). On Linux/Windows this will fail or be inappropriate; the skill should detect platform or use a safer approach (spawn default browser via platform API or instruct the user to open the file). Also consider asking for confirmation before automatically opening files. - Limit data sensitivity: Because the skill reads arbitrary file paths and writes and opens a local HTML that references remote resources, avoid using it on sensitive data unless you review and sanitize the generated HTML. If you want to proceed, ask the author (or modify the implementation) to: use a safe formula parser, explicitly escape all table data, provide cross-platform open behavior or prompt the user, and make loading of external scripts optional or local. If you cannot verify those changes, treat outputs as potentially unsafe and do not open with sensitive datasets.