ECharts Master

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent local ECharts chart-generation helper, with manageable cautions around creating chart files and starting a local preview server.

Reasonable to install for local chart creation. For sensitive data, generate charts in a dedicated folder, serve only that folder, prefer binding the server to 127.0.0.1, and stop the preview server when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases like '帮我做个图' and '画个图表' are broad enough to match ordinary conversation, which can cause the skill to activate unexpectedly. Because the skill then proposes file creation and local server actions, accidental invocation can lead to unintended system-impacting behavior without clear user intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to copy files, write HTML, change directories, and start an HTTP server on port 8082, but does not require warning the user or obtaining confirmation first. This is dangerous because it causes filesystem modifications and opens a local listening service, increasing exposure to accidental data disclosure or environmental impact on the host.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal