Chart Renderer Open
ReviewAudited by ClawScan on May 17, 2026.
Overview
The skill mostly matches its chart-rendering purpose, but generated reports insert data into HTML without escaping, so untrusted chart or table content could run code in the browser.
Use this skill only with data you trust, or sanitize/escape all report text before generating the HTML. Before sharing or opening reports from untrusted inputs, inspect the final HTML and ensure any required Chart.js/html2canvas libraries come from pinned, trusted sources.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you render data from an untrusted file, website, or message, opening the generated report could execute embedded browser code or leak report contents.
Section titles and renderer output are appended with innerHTML without escaping. Renderer files also interpolate report values into HTML strings, so malicious or untrusted data could become active HTML/JavaScript in the generated report.
if(sec.title) h+=`<div class="sec-title">${sec.title}</div>`; ... el.innerHTML+=h;Only render trusted data, or update the templates to HTML-escape all text fields by default and allow raw HTML only for explicitly trusted content.
The final report may require out-of-band JavaScript libraries; if those are fetched from an untrusted or unpinned source, the generated page could run third-party code.
The template depends on html2canvas, and chart rendering also references Chart/ChartDataLabels, but the provided artifacts do not include those libraries or declare a pinned source.
html2canvas(document.getElementById('captureArea'),{Use reviewed, pinned local copies or trusted CDN URLs with integrity checks if adding these browser libraries to the final HTML.