Back to skill

Security audit

Echarts Chart Skill

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates ECharts chart files and does not show hidden persistence, credential access, exfiltration, or destructive behavior.

Safe to install for chart generation workflows. Before opening generated HTML previews or demos in sensitive environments, be aware they may contact third-party CDNs; prefer SVG output or locally bundled assets if offline or stricter supply-chain behavior is required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The preview HTML loads executable JavaScript from a third-party CDN, which means rendering depends on remote code outside the repository's control. If the CDN content is compromised, tampered with, or swapped unexpectedly, anyone opening the preview could execute untrusted script in their browser.

Missing User Warnings

Low
Confidence
93% confidence
Finding
This demo page loads third-party resources from Google Fonts and jsDelivr at runtime, which creates a supply-chain and privacy exposure because page rendering depends on external domains outside the skill package. If those resources are modified, blocked, or used for tracking, users may receive altered code/assets or leak request metadata without any warning or consent notice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.