Back to skill
Skillv1.0.4
ClawScan security
Analysis Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 9:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested environment variable are consistent with a ChartGen API client that uploads user-provided data to chartgen.ai for analysis and visualization.
- Guidance
- This skill appears internally coherent and implements a client for chartgen.ai. Before installing or using it, consider: (1) Data privacy — any file or JSON you provide will be uploaded (base64-encoded) to chartgen.ai; do not send sensitive files or secrets. (2) API key safety — the CHARTGEN_API_KEY you set grants the service access and billing; treat it like a secret and verify its scope and limits on chartgen.ai. (3) Billing/credits — the SKILL.md states credit consumption (20 credits per call, 200 free/month); confirm costs on chartgen.ai. (4) Source verification — the registry lists no homepage and the owner is unknown; if you need stronger assurance, verify chartgen.ai and its API documentation independently before supplying your API key or production data. (5) Test with sample data first to confirm behavior and outputs.
Review Dimensions
- Purpose & Capability
- okThe name/description (ChartGen data analysis/visualization) matches the code and SKILL.md. The only required environment variable is CHARTGEN_API_KEY, which is appropriate for an API-backed charting service. Minor note: the registry metadata lists no primary credential field even though CHARTGEN_API_KEY is the main credential—this is a bookkeeping omission, not a functional mismatch.
- Instruction Scope
- noteThe SKILL.md and scripts clearly instruct the agent to read either a local file or JSON data, base64-encode file contents, and POST them to https://chartgen.ai/api/platform_api/ (services: PythonDataAnalysis, DataInterpretation, EchartsVisualization). This is coherent with the stated purpose, but it means any file you point the tool at will be uploaded to an external service. Users should not point it at sensitive files (containing PII, secrets, or credentials) unless they trust chartgen.ai and the API key's permissions.
- Install Mechanism
- okThere is no install spec (no downloads or installers). The skill is instruction-plus-scripts only; running it executes included Python scripts. No unexpected third-party download URLs or archive extraction are present.
- Credentials
- okThe only required env var is CHARTGEN_API_KEY, which is proportional to a remote API client. The scripts do not access other environment variables or unrelated credentials. The API key is sent in the Authorization header (no additional secrets requested).
- Persistence & Privilege
- okThe skill is not forced-always, is user-invocable, and does not request persistent/system-wide privileges. It writes output HTML to /tmp/openclaw/charts by default (a reasonable, limited location) and does not modify other skills or system configs.