Chart Generator 2.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a local chart-making skill with expected file output and some local history persistence users should understand.

Install only if you are comfortable running local Bash/Python scripts that create chart files. Avoid putting secrets or highly sensitive business details in chart titles or labels, and check the local chart-generator data directory or output paths if you need to delete generated files or history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The _log function persistently records chart metadata including timestamps, chart type, title, and summary details to history.log without any notice to the user. In agent or automation contexts, chart titles and labels may contain sensitive business or personal data, so this creates an unintended local data retention/privacy leak even though it is limited to the current user's account.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The SVG export command silently writes chart files into a persistent data directory using a generated filename, which may preserve sensitive chart content longer than the user expects. In a skill context where agents may visualize confidential data, undisclosed persistence increases the risk of local information exposure through leftover files, backups, or later inspection.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal