ClawHub

text2echart

Security checks across malware telemetry and agentic risk

Overview

This chart skill is useful, but it should be reviewed carefully because its web app runs pasted JavaScript from chart inputs without a clear safety warning.

Review before installing. Use it only with chart data and chart configs you trust, avoid pasting third-party JSON or formatter/function snippets into the web app, and be aware that CLI options can write files and open a browser. Prefer embedded/local libraries over CDN output when working with private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation indicates network-capable behavior through remote ECharts CDN loading, but no corresponding permissions are declared. Undeclared network use weakens trust and reviewability because the skill can fetch third-party code at runtime, changing behavior outside the declared security model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a true security-relevant mismatch: the skill claims to only emit HTML in-chat, but the documentation describes materially broader capabilities including CLI execution paths, browser launching, remote CDN loading, and especially arbitrary JavaScript execution via new Function in the web app. Such hidden or under-declared behavior can mislead users and reviewers, increasing the chance that risky execution features are invoked without appropriate scrutiny.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The documentation broadens the skill from a simple direct-HTML generator into a multi-mode toolchain with a web app and CLI workflows. That expansion increases attack surface and can cause an agent or user to invoke file, process, or browser behaviors that were not expected from the skill’s top-level contract.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The document gives conflicting operational instructions: it forbids CLI/scripts in the LLM guidance, then later explicitly recommends CLI usage. Contradictory instructions are dangerous in agent settings because they can bypass intended safeguards and make tool invocation behavior unpredictable, especially when the CLI can read/write files or launch a browser.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill can launch the system browser via a subprocess, which is beyond the declared purpose of returning HTML text and creates an unnecessary side effect on the host. In agent contexts, this can be abused to trigger local application execution and force a user/device to open attacker-influenced content without sufficient isolation or consent.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code executes arbitrary JavaScript from the functionInput field via new Function(functionText) and immediately invokes it. In a chart-generation skill, this is unnecessary and enables arbitrary script execution in the page context, allowing DOM manipulation, data exfiltration, or abuse of browser capabilities available to the origin.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The transformObject routine walks the entire option object and turns string values that resemble functions into executable code using new Function. This creates a broad code execution surface hidden inside otherwise data-like JSON, making malicious payloads easy to smuggle into chart configuration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The blur handler compiles and executes user-supplied JavaScript merely to validate it, which grants arbitrary code execution without a legitimate need for the skill's stated purpose. Because this skill is supposed to construct chart HTML/options, embedding an execution engine materially increases risk with no clear security boundary or sandbox.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger keywords are broad terms like 'chart', 'graph', 'plot', and 'draw', which are common in normal conversation and can cause accidental activation. In context, accidental triggering is more dangerous because the skill may output executable HTML or steer users toward broader web/CLI workflows than they intended.

Missing User Warnings

High
Confidence
97% confidence
Finding
User-provided code is executed on button action without any explicit warning, consent step, or explanation that arbitrary JavaScript will run in-browser. This increases the chance that users paste untrusted snippets believing they are harmless chart config, leading to self-XSS-style compromise.

Missing User Warnings

High
Confidence
98% confidence
Finding
Function-like strings embedded in the option JSON are dynamically compiled and executed with no disclosure to the user that data fields may become code. This violates the expected data/code boundary and makes malicious payloads difficult for users to recognize during review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal