ClawHub

chart-toolkit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal chart-generation skill with some documentation and dependency hygiene issues, not hidden or malicious behavior.

Install this if you want local Python chart generation. Treat the unrelated README imports as documentation noise unless you separately verify those modules, consider pinning dependencies before production use, and escape untrusted data before placing it into generated HTML reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The README for a charting toolkit unexpectedly advertises unrelated workflow, database, Excel, and Feishu integration modules in an agent-skill context. In a skill ecosystem, this kind of scope expansion can mislead users and downstream agents into importing or relying on capabilities with broader access to local files, external services, or data sources than the skill name suggests, increasing the risk of over-privileged use or hidden attack surface.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The HTML generation examples interpolate raw values directly into HTML table/report output without escaping. If untrusted data contains HTML or script payloads, opening the generated report in a browser could trigger stored XSS-style script execution or markup injection, especially in local dashboards or shared exported reports.

Unpinned Dependencies

Low
Category
Supply Chain
Content
matplotlib
pandas
# 可选:
plotly
Confidence
91% confidence
Finding
matplotlib

Unpinned Dependencies

Low
Category
Supply Chain
Content
matplotlib
pandas
# 可选:
plotly
kaleido  # for plotly image export
Confidence
95% confidence
Finding
pandas

Unpinned Dependencies

Low
Category
Supply Chain
Content
matplotlib
pandas
# 可选:
plotly
kaleido  # for plotly image export
Confidence
90% confidence
Finding
plotly

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal