Back to skill
Skillv1.1.0
ClawScan security
Chart Splat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 2:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, install, and runtime instructions are coherent with a chart-generation service and do not request unrelated privileges or secrets, though there are a few small implementation inconsistencies to be aware of.
- Guidance
- This skill appears to do what it says: it posts chart configs to api.chartsplat.com and returns PNG images. Before installing, verify the npm package (chartsplat-cli) publisher and source to ensure it is the legitimate Chart Splat CLI. Store CHARTSPLAT_API_KEY securely and only provide a key scoped/rotated for this use. Be aware of two small inconsistencies: (1) positional mode of the bundled script only accepts a limited set of types (candlestick/ohlc require using --config), and (2) the script supports an optional CHARTSPLAT_API_URL env var not declared in the skill metadata—if you need to enforce endpoint restrictions, confirm that value before running. If you will send sensitive data, confirm the service's privacy policy and that the API key has appropriate scope and rate limits.
Review Dimensions
- Purpose & Capability
- okName/description (Chart Splat) match the declared needs: Node/npx, the chartsplat CLI package, and a single API key (CHARTSPLAT_API_KEY). The included helper script and API docs all target api.chartsplat.com, which is coherent with the stated purpose.
- Instruction Scope
- noteSKILL.md and examples document both simple positional chart generation and complex charts via a JSON config; the helper script supports both modes. Minor inconsistency: the helper script's VALID_TYPES list excludes 'candlestick' and 'ohlc' for positional mode (so those types require --config), but the SKILL.md presents candlestick/ohlc as generally supported. The script also reads an optional CHARTSPLAT_API_URL override (process.env.CHARTSPLAT_API_URL) which is not declared in requires.env.
- Install Mechanism
- okInstall is via an npm package (chartsplat-cli), which is an expected, traceable mechanism for a Node CLI. No arbitrary download URLs or archive extraction are used in the install spec.
- Credentials
- noteOnly one secret is required (CHARTSPLAT_API_KEY), which matches the API-driven purpose. Minor mismatch: the helper script additionally reads CHARTSPLAT_API_URL as an optional override but that env var is not declared in the metadata.
- Persistence & Privilege
- okThe skill does not request always:true or any elevated persistent presence. It uses the platform's normal autonomous invocation defaults; no modifications to other skills or system-wide configuration are indicated.