Chart AI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent ChartGen integration, but it sends approved spreadsheet data to ChartGen using your API key and may poll in the background while jobs finish.
Before installing or using this skill, make sure you are comfortable sharing the selected spreadsheets and prompts with ChartGen. Review the confirmation prompt carefully before choosing “go,” use a revocable API key, and ensure any CHARTGEN_API_URL setting points to a trusted endpoint.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Spreadsheet data and the user's prompt may be processed by ChartGen outside the local agent environment.
The helper reads selected CSV/Excel-style files and uploads them to the ChartGen API using the user's API key. This is expected for the skill's data-analysis purpose, but it means file contents leave the local environment.
content: fs.readFileSync(resolved) ... url: `${BASE_URL}/api/usl-service/fileTable/upload` ... Authorization: apiKeyOnly approve submissions for files you are allowed to share with ChartGen; redact sensitive data or avoid uploading confidential spreadsheets.
The skill can use your ChartGen account/API quota to upload files, submit analysis tasks, and retrieve results.
The helper locates a ChartGen API key from the environment or ChartGen-specific local config files and sends it as the Authorization header. This is purpose-aligned, but it grants the skill access to submit jobs under that ChartGen account.
if (process.env.CHARTGEN_API_KEY) return process.env.CHARTGEN_API_KEY; ... path.join(home, ".chartgen", "api_key") ... headers: { Authorization: apiKey }Use a revocable ChartGen API key, store it only in trusted locations, and verify any CHARTGEN_API_URL override is intended and trusted.
After you approve a ChartGen task, the agent may continue making status-check requests in the background until the job finishes or times out.
The workflow allows background or cron-style polling while ChartGen completes a task. The instructions bound this to task completion and a 25-minute timeout, so it appears proportionate rather than hidden persistence.
"node tools/chartgen_api.js wait {task_id}", "background": true ... poll every 90s with `poll {task_id}` ... Timeout after 25 min.Use the skill when background polling is acceptable, and cancel or avoid submitting if you do not want continued network activity for that task.