Chart Generator Zc
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent local chart-generation skill, with some user-noticeable risks around local script execution, generated SVG/HTML content, metadata inconsistency, and local chart history storage.
This skill looks safe for normal local chart generation. Before installing, be aware that it runs local shell/Python code, may keep a local chart-history log, and generated SVG/HTML files should be treated as active content if the input labels or titles come from untrusted sources.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less assurance about the package origin and version lineage.
The embedded metadata differs from the registry metadata shown for this review, which lists the slug as chart-generator-zc, version 1.0.0, and a different owner ID. This is a provenance/packaging inconsistency, not evidence of malicious behavior.
"ownerId": "kn71ha3d91ekxt8tgtwpvxp6gd82jrhx", "slug": "chart-generator", "version": "2.0.0"
Confirm the publisher and intended version before relying on the skill, especially because the source and homepage are not provided.
Opening or sharing a chart generated from untrusted labels could expose viewers to unsafe SVG/HTML content.
SVG generation runs embedded Python and writes user-provided title/label text directly into SVG markup. This is purpose-aligned, but if chart text comes from untrusted data and is not escaped, the generated SVG could contain malformed or active markup.
python3 << 'SVGPYEOF' ... parts.append('<text x="{}" y="35" ...>{}</text>'.format(svg_w/2, title))Use trusted chart labels/titles, avoid embedding untrusted markup in chart data, and prefer escaping XML/HTML special characters before writing SVG or HTML.
Chart titles or summary metadata may remain on disk after use, which could matter if they contain sensitive business information.
The secondary command creates a persistent local data directory and stores chart history entries including chart type, title, and summary details.
DATA_DIR="${CHART_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/chart-generator}" ... echo "$(date '+%Y-%m-%d %H:%M') | $1 | $2 | $3" >> "$log"Avoid sensitive chart titles if using the history-enabled command, set CHART_DIR to a controlled location if needed, and clear the history log when appropriate.