Data Visualizer

The data-visualizer skill contains a critical shell injection vulnerability in the `cmd_to_html` function within `scripts/script.sh`. This occurs because the script processes CSV lines using `echo "$line"` inside a subshell expansion, which allows for arbitrary command execution if a CSV file contains payloads like `$(command)`. Additionally, the `cmd_distribution` function is currently broken due to a bug where shell variables (e.g., `$bins`) are placed inside a quoted Python heredoc, preventing their expansion. While these appear to be unintentional coding flaws rather than deliberate malice, the RCE risk via CSV processing warrants a suspicious classification.