Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description (Apache ECharts charting) align with the provided artifacts: an SKILL.md describing chart generation, an API reference, and an HTML template that imports ECharts from a public CDN. It requests no unrelated binaries, env vars, or config paths.
Instruction Scope
Instructions stay within chart-generation scope and explicitly instruct using the ECharts CDN and producing a complete HTML page. Two points to watch: (1) the template injects a raw {{OPTION}} JavaScript object into the page — if the OPTION content is not safely JSON-serialized/escaped there is a risk of HTML/JS injection (XSS) if any input contains malicious strings; (2) the generated page defines window.__echarts_export__ with getPngUrl() returning a data URL — this is useful but also exposes an API that could be abused by other scripts on the same page to read exported data.
Install Mechanism
Instruction-only skill with no install spec and no download actions. Uses a public CDN (jsDelivr) to load echarts, which is standard for client-side charting. No archives or arbitrary code downloads are requested.
Credentials
No environment variables, credentials, or sensitive config paths are requested. The skill does not ask for unrelated secrets or system access.
Persistence & Privilege
always is false and the skill is user-invocable. No installation actions modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other red flags here.
Assessment
This skill appears to do what it says: produce interactive HTML pages using ECharts from a CDN. Before installing or using it, consider the following: (1) CDN trust — the HTML loads echarts from jsDelivr; if you require stronger supply-chain guarantees, host a vetted copy or use an organization-approved CDN. (2) XSS/serialization — ensure any chart option or user data is serialized safely (use JSON.stringify when embedding OPTION) so strings can't inject arbitrary script into the generated HTML. (3) Exposed API — the template exposes window.__echarts_export__ (getPngUrl) which can be convenient but means any script on the page can read the generated image data; avoid hosting the generated pages where untrusted third-party scripts run. (4) If you plan to embed sensitive data in charts, review how the agent substitutes values into the template and confirm no external endpoints are contacted. If you want higher assurance, ask the publisher for explicit details on how OPTION is serialized and/or request a version that safely JSON-encodes embedded data.Like a lobster shell, security has layers — review code before you run it.
latestvk97bjttzwbv3c24p7y7f6z4w2h84n7c1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis