📊 Apache ECharts — 图表库

v1.0.0

Apache ECharts 是开源、高性能、可交互的数据可视化图表库，支持折线、柱状、饼图、地图等 20+ 图表类型，内置动画、响应式与多坐标系，可通过 JSON 配置快速渲染百万级数据，适用于 Web 端大屏、报表与 BI 场景。

0· 85·0 当前·0 累计

by @openlark (OpenLark)

数据分析开发工具 API工具

下载技能包项目主页

最后更新

2026/4/11

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

medium confidence

NULL

评估建议

This skill appears to do what it says: produce interactive HTML pages using ECharts from a CDN. Before installing or using it, consider the following: (1) CDN trust — the HTML loads echarts from jsDelivr; if you require stronger supply-chain guarantees, host a vetted copy or use an organization-approved CDN. (2) XSS/serialization — ensure any chart option or user data is serialized safely (use JSON.stringify when embedding OPTION) so strings can't inject arbitrary script into the generated HTML....

详细分析 ▾

✓ 用途与能力

Name and description (Apache ECharts charting) align with the provided artifacts: an SKILL.md describing chart generation, an API reference, and an HTML template that imports ECharts from a public CDN. It requests no unrelated binaries, env vars, or config paths.

ℹ 指令范围

Instructions stay within chart-generation scope and explicitly instruct using the ECharts CDN and producing a complete HTML page. Two points to watch: (1) the template injects a raw {{OPTION}} JavaScript object into the page — if the OPTION content is not safely JSON-serialized/escaped there is a risk of HTML/JS injection (XSS) if any input contains malicious strings; (2) the generated page defines window.__echarts_export__ with getPngUrl() returning a data URL — this is useful but also exposes an API that could be abused by other scripts on the same page to read exported data.

✓ 安装机制

Instruction-only skill with no install spec and no download actions. Uses a public CDN (jsDelivr) to load echarts, which is standard for client-side charting. No archives or arbitrary code downloads are requested.

✓ 凭证需求

No environment variables, credentials, or sensitive config paths are requested. The skill does not ask for unrelated secrets or system access.

✓ 持久化与权限

always is false and the skill is user-invocable. No installation actions modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other red flags here.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/11

NULL

● 无害

安装命令

点击复制

官方npx clawhub@latest install apache-echarts

镜像加速npx clawhub@latest install apache-echarts --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库