Viz Table

从 CSV/JSON 文件读取数据，使用 ECharts 生成可视化 HTML 图表（柱状图、折线图、饼图、环形图）并自动在浏览器中打开。用户提供文件路径时触发。

This skill appears to do what it says, but it includes risky runtime behaviors you should consider before installing or using it: - Client-side use of eval(): The SKILL.md instructs the page to compute user-entered formulas via eval(), which can execute arbitrary JavaScript. Replace eval() with a safe expression evaluator (e.g., mathjs) or strictly validate/parse formulas before execution. - Unsanitized data injection / XSS risk: The generated HTML will render the input CSV/JSON into the page. If the implementation inserts data using innerHTML or otherwise fails to escape/encode content, a CSV containing <script> or crafted strings could run code in your browser. Ensure all cell values are escaped (use textContent or proper escaping) and avoid injecting raw HTML. - Remote CDN dependency: The page loads ECharts from jsdelivr.net. That is convenient but introduces a remote network dependency and supply-chain risk. Consider bundling a vetted ECharts build or allowing an offline/local alternative. - Platform-specific open command: The SKILL.md runs `open /tmp/viz-table-output.html` (macOS). On Linux/Windows this will fail or be inappropriate; the skill should detect platform or use a safer approach (spawn default browser via platform API or instruct the user to open the file). Also consider asking for confirmation before automatically opening files. - Limit data sensitivity: Because the skill reads arbitrary file paths and writes and opens a local HTML that references remote resources, avoid using it on sensitive data unless you review and sanitize the generated HTML. If you want to proceed, ask the author (or modify the implementation) to: use a safe formula parser, explicitly escape all table data, provide cross-platform open behavior or prompt the user, and make loading of external scripts optional or local. If you cannot verify those changes, treat outputs as potentially unsafe and do not open with sensitive datasets.

Type: OpenClaw Skill Name: viz-table Version: 1.0.0 The skill instructions in SKILL.md direct the agent to generate an HTML file that uses the dangerous 'eval()' function to process user-provided formulas for custom data calculations. This introduces a significant Cross-Site Scripting (XSS) or local code execution vulnerability within the user's browser context. Additionally, the skill automatically executes the generated file using the 'open' command on the local system (/tmp/viz-table-output.html), which, combined with the insecure 'eval' implementation, poses a high security risk despite the lack of explicit malicious intent like data exfiltration.