Analysis Data

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears coherent for ChartGen-based data analysis and visualization, but users should know it uses a ChartGen API key and sends confirmed prompts and selected files to chartgen.ai.

This looks like a normal ChartGen integration. Before installing, make sure you are comfortable sending prompts and chosen spreadsheet files to chartgen.ai, review each confirmation carefully, and keep your ChartGen API key protected.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI07: Insecure Inter-Agent Communication

Medium

What this means

Spreadsheet contents and prompt text may be processed by ChartGen outside the local environment.

Why it was flagged

The skill clearly discloses that user prompts and selected files are sent to an external provider. This is purpose-aligned, but it is still a data-sharing boundary users should understand.

Skill content

Network boundary: this helper sends the confirmed prompt and selected files only to `https://chartgen.ai`.

Recommendation

Only confirm requests and attach files that you are allowed to send to ChartGen; review the file list and prompt before approving.

#ASI03: Identity and Privilege Abuse

Low

What this means

Anyone using the skill with your configured key can submit ChartGen jobs under that key’s account or quota.

Why it was flagged

The helper reads a ChartGen API key from the environment or local config and uses it to authenticate requests to ChartGen. This is expected for the integration and no leakage or unrelated credential use is shown.

Skill content

if (process.env.CHARTGEN_API_KEY) return process.env.CHARTGEN_API_KEY; ... Authorization: apiKey,

Recommendation

Use a scoped ChartGen key if available, store it securely, and rotate it if you suspect misuse.

#ASI05: Unexpected Code Execution

Low

What this means

Using the skill runs local bundled JavaScript to read the request file, upload selected files, poll results, and save outputs.

Why it was flagged

The skill invokes a bundled Node.js helper to submit jobs. This local code execution is disclosed, fixed to the helper command, and central to the skill’s purpose.

Skill content

node tools/chartgen_api.js submit /tmp/chartgen_request_20260506_112900.json

Recommendation

Install only if you trust the bundled helper code and have Node.js available.