Visualization
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s visualization purpose is mostly coherent, but the included code has unsafe custom-template file and HTML handling plus weak optional API/cloud boundaries that should be reviewed before use.
Use the core charting capability cautiously, but avoid custom templates, cloud upload, or API deployment until the template path validation, HTML escaping, and API authentication are fixed. Verify dependencies and keep sensitive financial data local unless you explicitly intend to share it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken custom template name could read or overwrite local JSON files outside the intended template folder.
The template name is used directly in filesystem paths for reads and writes. Without rejecting path separators or resolving/enforcing the directory boundary, a prompt- or config-controlled template name could traverse outside the intended visualization_templates directory.
const templatePath = path.join(this.templatesDir, `${templateName}.json`);
fs.writeFileSync(templatePath, JSON.stringify(templateConfig, null, 2));
...
const templateData = fs.readFileSync(templatePath, 'utf8');Restrict template names to a safe allowlist such as letters, numbers, dash, and underscore; use path.resolve and verify the resolved path stays inside the template directory before reading or writing.
Opening a preview for a malicious custom template could run unwanted JavaScript in the browser context.
Template metadata is interpolated directly into generated HTML and saved as preview.html. If template content is untrusted, HTML or script payloads could be embedded and execute when the preview is opened.
<h1>${templateConfig.metadata?.title || 'Custom Template'}</h1>
<p class="description">${templateConfig.metadata?.description || 'Template preview'}</p>
...
fs.writeFileSync(previewPath, htmlContent);HTML-escape all template-provided text, safely serialize chart configuration for script contexts, and avoid opening previews from untrusted templates without review.
If the API server is used or deployed as-is, unauthorized callers may be able to access generation endpoints with a made-up key.
The optional REST API accepts API keys in query parameters and validates only by prefix and length rather than checking issued keys or user permissions.
const apiKey = req.headers['x-api-key'] || req.query.api_key;
...
return apiKey.startsWith('viz_') && apiKey.length > 20;Do not deploy the included API server as-is. Use header-only credentials, validate against a server-side key store, bind keys to users/permissions, and add explicit authentication tests.
Financial charts or dashboard outputs could be sent to a cloud storage provider if this option is enabled.
The code contains an optional cloud-storage path for generated chart outputs, while SKILL.md only clearly advertises auto-saving to the workspace.
if (params.cloudStorage) {
const cloudStorage = new CloudStorage();
const cloudResult = await cloudStorage.uploadChart(result.path, `visualization_${params.template}_${Date.now()}.png`, params.cloudProvider);
result.cloudUrl = cloudResult.url;
}Require explicit user confirmation before any cloud upload, clearly disclose the provider and destination, and keep sensitive portfolio data local unless sharing is intended.
The exact code installed at runtime may vary across environments if dependencies are installed manually.
If the included code is run manually, dependency versions are not pinned exactly and no lockfile or install spec is provided in the artifacts.
"dependencies": {
"canvas": "^2.11.2",
"chart.js": "^4.4.0"
}Pin dependency versions, provide a lockfile, and document installation requirements if the skill is intended to execute these code files.