Visualization
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: visualization Version: 1.2.0 The skill exhibits several vulnerabilities, primarily a significant prompt injection risk in `main.js`'s `parseRequest` function, allowing manipulation of skill parameters like `template`, `format`, `cloudStorage`, and `cloudProvider`. While the cloud storage functionality is currently mocked in `cloud/aws_lambda.js`, this prompt injection could lead to unintended resource usage or misconfiguration if fully implemented. Additionally, `integration/api.js` contains a placeholder `isValidAPIKey` function that represents a weak API key validation vulnerability. The `integration/jupyter.js` file includes a `!pip install visualization-skill` command, which, while intended for self-installation, introduces a minor supply chain risk if the package name were typosquatted or the repository compromised. These issues are design flaws and risky capabilities rather than clear evidence of intentional malicious behavior like data exfiltration or backdoor installation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken custom template name could read or overwrite local JSON files outside the intended template folder.
The template name is used directly in filesystem paths for reads and writes. Without rejecting path separators or resolving/enforcing the directory boundary, a prompt- or config-controlled template name could traverse outside the intended visualization_templates directory.
const templatePath = path.join(this.templatesDir, `${templateName}.json`);
fs.writeFileSync(templatePath, JSON.stringify(templateConfig, null, 2));
...
const templateData = fs.readFileSync(templatePath, 'utf8');Restrict template names to a safe allowlist such as letters, numbers, dash, and underscore; use path.resolve and verify the resolved path stays inside the template directory before reading or writing.
Opening a preview for a malicious custom template could run unwanted JavaScript in the browser context.
Template metadata is interpolated directly into generated HTML and saved as preview.html. If template content is untrusted, HTML or script payloads could be embedded and execute when the preview is opened.
<h1>${templateConfig.metadata?.title || 'Custom Template'}</h1>
<p class="description">${templateConfig.metadata?.description || 'Template preview'}</p>
...
fs.writeFileSync(previewPath, htmlContent);HTML-escape all template-provided text, safely serialize chart configuration for script contexts, and avoid opening previews from untrusted templates without review.
If the API server is used or deployed as-is, unauthorized callers may be able to access generation endpoints with a made-up key.
The optional REST API accepts API keys in query parameters and validates only by prefix and length rather than checking issued keys or user permissions.
const apiKey = req.headers['x-api-key'] || req.query.api_key;
...
return apiKey.startsWith('viz_') && apiKey.length > 20;Do not deploy the included API server as-is. Use header-only credentials, validate against a server-side key store, bind keys to users/permissions, and add explicit authentication tests.
Financial charts or dashboard outputs could be sent to a cloud storage provider if this option is enabled.
The code contains an optional cloud-storage path for generated chart outputs, while SKILL.md only clearly advertises auto-saving to the workspace.
if (params.cloudStorage) {
const cloudStorage = new CloudStorage();
const cloudResult = await cloudStorage.uploadChart(result.path, `visualization_${params.template}_${Date.now()}.png`, params.cloudProvider);
result.cloudUrl = cloudResult.url;
}Require explicit user confirmation before any cloud upload, clearly disclose the provider and destination, and keep sensitive portfolio data local unless sharing is intended.
The exact code installed at runtime may vary across environments if dependencies are installed manually.
If the included code is run manually, dependency versions are not pinned exactly and no lockfile or install spec is provided in the artifacts.
"dependencies": {
"canvas": "^2.11.2",
"chart.js": "^4.4.0"
}Pin dependency versions, provide a lockfile, and document installation requirements if the skill is intended to execute these code files.