Skills
skills/oaustegard/claude-skills/charting-vega-lite/Gen Agent Trust Hub

charting-vega-lite

Pass

Audited by Gen Agent Trust Hub on Apr 30, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill dynamically loads the Vega, Vega-Lite, and Vega-Embed libraries from the official jsDelivr CDN (cdn.jsdelivr.net) within the generated React artifacts. These are established, well-known libraries for rendering visualizations.
  • [COMMAND_EXECUTION]: The skill executes local Python scripts (analyze_data.py and prepare_data.py) to perform statistical analysis and optimization of user-uploaded data files.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from external files (CSV, JSON, Excel).
  • Ingestion points: User-uploaded data files are read from /mnt/user-data/uploads/ by the analysis and preparation scripts.
  • Boundary markers: No explicit boundary markers or 'ignore' instructions are used when interpolating data into the agent's context during the 'Understand Data Context' phase.
  • Capability inventory: The skill can write files to the local system using bash heredoc and execute Python scripts for data processing.
  • Sanitization: Data is serialized into JSON arrays using json.dumps before being embedded as 'Data Islands' in artifacts, which provides basic structural escaping.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 30, 2026, 11:35 AM