ClawHub
Back to skill

Security audit

Chart Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent remote chart-generation skill, with the main privacy caution that chart inputs are sent to external services and chart files are stored by default for a limited time.

Install only if you are comfortable sending chart inputs to AgentPMT/QuickChart. For confidential, regulated, customer, or unpublished research data, explicitly use return_base64: true with store_file: false or avoid the skill; also confirm the user really wants remote chart generation before using it on generic data tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill's activation keywords include broad, natural-language intents such as creating dashboards, reports, and academic figures rather than narrow product-specific triggers. This can cause the agent to invoke the remote chart service in contexts where the user did not explicitly request external processing, increasing the chance that sensitive business or research data is sent off-platform unnecessarily.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes chart generation features but does not prominently disclose that user-supplied chart data may be transmitted to a remote service and optionally stored in cloud storage as signed URLs. Users or upstream agents may therefore pass sensitive operational, financial, or research data without informed consent, creating confidentiality and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The schema indicates `store_file` defaults to true and that generated charts are stored in cloud storage with a signed URL, but it does not clearly warn users that their submitted data will be sent to and retained by a remote service by default. Because chart inputs may contain sensitive business, academic, or personal data, silent remote persistence increases the risk of unintended data disclosure or retention beyond user expectations.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal