I’d highly recommend to escape all values before output, e.g. echo esc_html( $retrieved_data->NAME )
.
The same for the image:
<img src="https://wordpress.stackexchange.com/questions/292680/<?php echo esc_url( $retrieved_data->icon ); ?>" />
You can read more about Securing Output in the developer handbook.