ECharts Master
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherently focused on generating local ECharts HTML charts, with no evidence of credential use or exfiltration, but it does run bundled JavaScript and may start a local preview server.
This skill appears safe for normal local chart generation. Before installing, consider verifying the bundled ECharts JavaScript, keep generated charts in a dedicated folder, avoid embedding highly sensitive data unless necessary, and stop the local preview server when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening generated charts will execute the bundled ECharts JavaScript in the browser.
The bundled minified JavaScript contains a Function-constructor pattern that triggered the static dynamic-code scan. It appears inside the ECharts rendering library, which is central to the skill's chart-generation purpose.
_=function(){}.constructorUse the skill only if you are comfortable with the bundled ECharts file, or replace it with a verified official ECharts build.
Users have less information for independently verifying that the bundled ECharts file is the official library.
The skill includes a large vendored JavaScript dependency, but the registry metadata does not identify a source homepage or provenance for the package.
Source: unknown; Homepage: none
Prefer a versioned, integrity-checked ECharts asset or verify the bundled file against an official ECharts release before relying on it for sensitive work.
If started in the wrong folder, the preview server could expose more local files than intended to browsers or local-network clients.
The skill instructs use of a local HTTP server to preview generated charts. This is aligned with the chart-preview purpose, but the server may serve files from the selected directory while it is running.
python3 -m http.server 8082
Start the server only from a dedicated chart-output folder, bind it to localhost when possible, and stop it after previewing the chart.