Trust Assessment
chart-image received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Arbitrary file read via --spec argument, Arbitrary file write via --output argument.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary file read via --spec argument The `chart.mjs` script allows reading arbitrary files from the filesystem via the `--spec` command-line argument. An attacker can specify a path to any file (e.g., `/etc/passwd`, `.env` files, credential files) that the skill's execution environment has read access to. The content of this file would then be parsed as a Vega-Lite spec. While the primary output is an image, a malicious spec could embed parts of the read file's content into chart titles, labels, or annotations, effectively exfiltrating the data via the generated image. Restrict the `--spec` argument to a predefined, secure directory (e.g., `/data/clawd/skills/chart-image/specs/`) or disallow reading arbitrary files. Validate the path to ensure it's within an allowed sandbox. | LLM | scripts/chart.mjs:149 | |
| HIGH | Arbitrary file write via --output argument The `chart.mjs` script allows writing to arbitrary file paths on the filesystem via the `--output` command-line argument. An attacker can specify a path to any location (e.g., `/tmp/malicious.sh`, `/etc/cron.d/malicious_job`) that the skill's execution environment has write access to. This could lead to overwriting critical system files, writing malicious scripts to executable locations, or filling up disk space, potentially enabling further command injection or denial-of-service attacks. Restrict the `--output` argument to a predefined, secure, and temporary directory (e.g., `/data/clawd/tmp/`) and ensure files are cleaned up. Validate the path to ensure it's within an allowed sandbox. | LLM | scripts/chart.mjs:160 | |
| MEDIUM | Unpinned npm dependency version Dependency 'vega' is not pinned to an exact version ('^5.30.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/dannyshmueli/chart-image/scripts/package.json | |
| MEDIUM | Unpinned dependencies in package.json and package-lock.json The `package.json` and `package-lock.json` files use caret (`^`) ranges for dependencies (`sharp`, `vega`, `vega-lite`). This allows minor and patch versions to be automatically updated during `npm install`, which could introduce breaking changes, vulnerabilities, or malicious code without explicit review. While `package-lock.json` provides some locking, it's not a strict pin and can be regenerated or ignored. Pin all dependencies to exact versions (e.g., `1.2.3` instead of `^1.2.3` or `~1.2.3`). Use `npm ci` for installs in production environments to ensure `package-lock.json` is strictly followed. Regularly audit dependencies for known vulnerabilities. | LLM | scripts/package.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/8f20ad6002c5e2b2)
Powered by SkillShield