Chart Generator Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ChartGen integration that sends confirmed chart or spreadsheet-analysis requests to ChartGen and saves returned artifacts locally.

Install only if you are comfortable sending the confirmed prompt and any selected spreadsheet contents to ChartGen for processing. Use a dedicated revocable API key, avoid confidential or regulated data unless approved, and leave CHARTGEN_API_URL unset unless you intentionally trust another endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill declares use of an environment variable (`CHARTGEN_API_KEY`) and external tool execution but does not declare corresponding permissions. This creates a governance gap: reviewers and runtime policy systems may not realize the skill can access secrets and initiate outbound API-backed actions, reducing transparency and control.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation criteria are very broad, covering generic visualization, analysis, reporting, spreadsheet uploads, and even any mention of ChartGen. Over-broad triggering can cause the skill to activate on many ordinary user requests and route sensitive data to an external service unnecessarily, increasing the chance of unintended data exposure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly sends user queries, uploaded spreadsheets, and potentially web/external-source data to the ChartGen API, but the description does not warn users that their content will leave the local environment. Because spreadsheets often contain sensitive business or personal data, this omission can lead to uninformed disclosure of confidential information to a third party.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal