ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ECharts Master

v1.0.0

ECharts 图表大师。根据用户数据和业务上下文,自动设计并生成专业的 ECharts 可视化图表。使用场景:(1) 用户提供表格/JSON/CSV 数据需要可视化,(2) 用户说"帮我做个图"、"画个图表",(3) 需要将查询结果可视化展示。

0· 406·2 current·2 all-time
byAndy Tien@linux2010
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise generating ECharts visualizations; provided files (HTML template, design guide, local echarts.min.js) and SKILL.md instructions are directly relevant and sufficient for that purpose.
Instruction Scope
Instructions stay within scope (analyze data, produce HTML, preview via a local HTTP server). Two items worth noting: (1) SKILL.md suggests starting a local HTTP server on port 8082 to preview files — this is normal but can expose files if run on a publicly reachable host; prefer binding to localhost. (2) It suggests using `npx http-server`, which may fetch/execute code from the npm registry at runtime — a standard convenience but a network action the user should be aware of.
Install Mechanism
No install spec; skill is instruction-only but includes a local echarts.min.js (embedded library). No external download URLs or extract steps in the skill itself.
Credentials
The skill does not request environment variables, credentials, or config paths. SKILL.md references only the skill's own assets directory and the working directory, which is appropriate for generating HTML previews.
Persistence & Privilege
Skill is not always-enabled, does not request system-wide changes, and does not modify other skills or request elevated privileges.
Assessment
This skill appears coherent and focused on producing local ECharts HTML visualizations. Before installing or running: 1) If you want to preview charts, prefer running a server bound to localhost (for example: python3 -m http.server 8082 --bind 127.0.0.1) so files aren't exposed to the network. 2) Be aware that running `npx http-server` will fetch code from the npm registry if you don't already have it installed — only run it if you trust npm packages. 3) The skill bundles echarts.min.js locally (license header present); if you need higher assurance, inspect or verify the file (compare checksum to an official ECharts release). 4) The skill does not request credentials or access to other parts of your system, but it will read/write files in your working directory when generating charts — review generated files before serving them on any network-facing host.
assets/echarts.min.js:45
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ewk1wtw4rt3vxcj5s16kfvx82tevm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments