Echarts Chart Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The charting skill mostly matches its stated purpose, but its generated HTML preview can run injected script content if chart data contains malicious HTML/script markers.
Use this skill only with chart data you trust, or export SVG/options instead of opening generated HTML previews until the HTML escaping issue is fixed. Also confirm output paths and be aware that HTML previews load ECharts from a CDN.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or untrusted dataset could make the exported HTML preview run code in the user's browser and potentially expose the chart contents or mislead the user.
The generated HTML places chart data/options directly inside an executable script block. JSON.stringify does not neutralize HTML parser sequences like `</script>`, so untrusted chart labels or fields could break out of the script and execute JavaScript when the preview is opened.
const optionJson = JSON.stringify(option, null, 2); ... <script> ... const option = ${optionJson}; ... chart.setOption(option);Escape `<`, `>`, `&`, and script-closing sequences before embedding JSON, or place the JSON in a non-executable `application/json` script tag and parse it safely. Avoid opening generated HTML from untrusted data until this is fixed.
A mistaken `--out` or `--out-dir` could write chart output over an existing file or into an unintended location.
The CLI reads a user-specified input file and writes output to user-specified paths, creating directories as needed. This is expected for a chart export tool, but it can overwrite files if the agent or user chooses the wrong output path.
const content = await readFile(resolvePath(inputPath), "utf8"); ... await mkdir(path.dirname(outputPath), { recursive: true }); await writeFile(outputPath, content, "utf8");Confirm output paths before running the commands, prefer a project or temporary output directory, and avoid using protected or important file paths.
The preview may require internet access and depends on third-party CDN content when opened.
Generated HTML previews load ECharts from a third-party CDN using a broad major-version reference. This is purpose-aligned for browser previews, but it means opening the HTML executes remote JavaScript.
const CDN_URL = "https://cdn.jsdelivr.net/npm/echarts@5/dist/echarts.min.js"; ... <script src="${CDN_URL}"></script>For sensitive or offline use, pin an exact ECharts version or bundle a local copy instead of loading from a CDN.