Info Visualize

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is mostly a local chart/report generator, but its HTML/SVG chart output appears to embed data without escaping, which could run injected browser code if the input data is untrusted.

Install only if you are comfortable running local visualization scripts. Avoid opening generated HTML from untrusted or unsanitized data; prefer PNG output or sanitize fields first. Be deliberate when using the archive option, especially for reports containing private or business-sensitive information.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI05: Unexpected Code Execution

What this means

If the chart data comes from an untrusted source, opening the generated HTML could execute injected JavaScript in the browser.

Why it was flagged

User-controlled chart fields such as title, label, tooltip, and footer are inserted directly into generated HTML/SVG without visible escaping. Because the output is intended to be opened in a browser, malicious input text could become active markup or script.

Skill content

html = f"""<!DOCTYPE html> ... <title>{title}</title> ... <body>\r\n{svg}\r\n</body>""" ... <text ...>{i+1:02d}. {label}</text> ... <title>{tooltip}</title> ... <text ...>{footer}</text>

Recommendation

Escape all HTML/SVG text and attribute values before writing them, validate color/URL-like fields, or use PNG output for untrusted data.

Low

#ASI06: Memory and Context Poisoning

What this means

Generated reports may remain stored in a local memory/archive folder and could expose sensitive report contents later.

Why it was flagged

The skill documents an optional archive path under a memory-like directory. This is disclosed and user-directed, but archived reports may persist beyond the immediate task and could be reused by other tooling.

Skill content

python scripts/png_longform.py --input report.json --output report.png --archive "C:/Users/user/.ai-memory/news" ... 额外复制到 `C:\Users\ToddC\.ai-memory\news\`

Recommendation

Use the archive option only for non-sensitive reports or choose a clearly scoped folder with known retention behavior.