chart-py-generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local Python chart generator; the optional Telegram-send examples need care, but the provided files do not implement hidden transfer, persistence, or destructive behavior.

Install if you want a local matplotlib-based chart generator. Use the local chart-gen workflow for sensitive data, verify any chart-gen-send wrapper before using it, and only send charts to Telegram when you are comfortable sharing the chart image and embedded data with that external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation promotes a `chart-gen-send` workflow that transmits generated charts to Telegram but does not disclose that chart contents may contain sensitive business or personal data and will leave the local environment. In an agent context, this omission can cause users or downstream automation to exfiltrate reports to a third-party service without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The example section repeatedly encourages use of `chart-gen-send` for reports and business comparisons, normalizing external sharing of potentially sensitive analytics while omitting any privacy, retention, or recipient-verification warning. Because examples strongly shape agent behavior, this increases the likelihood of unintentional disclosure of internal data to Telegram.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal