Intelligent data analysis report generator
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: data-analysis-report-generator Version: 1.0.0 The skill bundle provides a functional data analysis and reporting tool, but it is classified as suspicious due to a significant security vulnerability in 'assets/report_template.html'. The template uses 'eval()' to execute dynamically generated JavaScript for ECharts initialization, which is a high-risk coding pattern that could lead to Cross-Site Scripting (XSS) if malicious data is injected into the input files. While the Python scripts ('analyzer.py' and 'chart_generator.py') appear to perform legitimate data processing and lack evidence of intentional malice, the use of 'eval' on data-derived strings represents a notable security flaw.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will run local Python commands and read the spreadsheet files the user provides.
The skill asks the agent to execute local Python tools against a user-selected spreadsheet and write outputs. This is central to the skill's purpose, but users should understand local command execution is part of the workflow.
Run `analyzer.py` on the file → get `analysis.json` Run `chart_generator.py` with analysis + style → get `charts.json`
Use the skill only on files you intend to analyze, keep outputs in the workspace, and review any optional custom analysis code before running it.
Installing dependencies or opening the generated report may fetch code from external package/CDN providers.
The skill depends on external Python packages and a third-party CDN script. This is disclosed and purpose-aligned, but package versions/hashes and CDN integrity are not specified.
ECharts 5.5.0 (loaded via CDN in the HTML template — no local install needed) If dependencies missing, install: `pip install pandas openpyxl numpy`
Prefer a virtual environment, pin package versions, and consider bundling ECharts locally or adding Subresource Integrity for the CDN script.
A booby-trapped CSV or Excel file could make the generated HTML report run unwanted JavaScript in the browser, potentially altering the report or sending embedded report data over the network.
The generated report builds HTML and JavaScript from embedded chart data, inserts it with innerHTML, and then evals the assembled script. Because chart IDs, titles, and metric names can be derived from spreadsheet columns, a malicious or untrusted file could cause JavaScript execution when the report is opened.
const entries = Object.entries(CHART_DATA); ... const cid = 'chart_' + id; ... sectionContainer.innerHTML = html; ... eval(chartInitCode);
Remove eval, initialize charts directly in a loop, generate safe fixed element IDs, escape or use textContent for all data-derived text, and safely serialize JSON embedded inside script tags.