ClawHub

Apache Echarts

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates interactive Apache ECharts HTML chart files and does not show hidden, destructive, or unrelated behavior.

Installers should understand that generated chart files contain JavaScript and load ECharts from a public CDN when opened. Use trusted data for chart labels/options, review filenames before saving, and prefer a local or organization-approved ECharts copy if offline use or stricter supply-chain control is required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs the agent to generate a complete HTML file and save it to the workspace without any warning, confirmation, or constraint on file creation. Unannounced filesystem writes are a real security and trust concern because they create persistent artifacts that may overwrite user files, introduce unexpected executable/viewable content, or be abused in environments where file creation should require explicit consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill mandates use of a public CDN script without warning that the generated HTML will fetch third-party code at page load time. This is security-relevant because opening the generated file causes network access and execution of externally hosted JavaScript, which can violate user expectations, leak metadata such as IP/user agent, and increase supply-chain risk if the CDN resource is compromised or substituted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal