chartjs-reporter

Security checks across malware telemetry and agentic risk

Overview

The skill generates chart reports as described, but unescaped report data can become executable browser content when the generated HTML is previewed.

Install only if you are comfortable generating browser-opened HTML from trusted data, or modify the skill first to HTML-escape all report text and avoid automatic preview. For confidential or offline workflows, bundle Chart.js locally instead of loading it from a CDN.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs generating a local HTML file and automatically opening it with a preview tool without warning the user about disk writes or browser launch behavior. In security-sensitive environments, unannounced file creation and automatic preview can expose sensitive data locally, trigger unintended application launches, or violate user expectations around consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill states that Chart.js is loaded from a CDN but does not warn that viewing the generated report will make network requests to a third party. This can leak IP address, user agent, access timing, and the fact that a report was opened, which is especially problematic for offline, regulated, or confidential workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal