Chart Generator
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a legitimate ChartGen integration, but it sends confirmed prompts and spreadsheet data to ChartGen using your API key, so only use it with data you are allowed to share.
Before installing, make sure you are comfortable with ChartGen receiving the prompts and spreadsheet files you ask it to analyze. Keep the API key secure, check that the API URL has not been redirected, and avoid submitting confidential or regulated data unless you have approval.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private spreadsheet contents and prompts may leave the local machine and be processed by the ChartGen service.
The helper can read user-provided spreadsheet files and send them, along with the prompt, to the ChartGen API endpoint; the default endpoint is ChartGen, with an environment-variable override.
const BASE_URL = process.env.CHARTGEN_API_URL || "https://chartgen.ai"; ... content: fs.readFileSync(resolved), ... url: `${BASE_URL}/api/usl-service/fileTable/upload` ... url: `${BASE_URL}/api/agent/chat`Only submit files you are allowed to share with ChartGen, and verify that CHARTGEN_API_URL is not unexpectedly set to a different endpoint.
The skill can act against the ChartGen account associated with the configured API key.
The tool retrieves a ChartGen API key from environment or local config files and uses it as the Authorization header for ChartGen requests.
if (process.env.CHARTGEN_API_KEY) return process.env.CHARTGEN_API_KEY; ... path.join(home, ".chartgen", "api_key") ... headers: { Authorization: apiKey }Use a dedicated ChartGen API key if possible, store it securely, and rotate it if you suspect it was exposed.
A ChartGen request may continue polling in the background after submission until it finishes or times out.
The workflow allows a background or cron-style polling task to wait for ChartGen completion, but it is task-specific and bounded by a 25-minute timeout.
Background exec ... "background": true ... Cron ... poll every 90s with `poll {task_id}` ... Timeout after 25 min.Use the background mode only for requests you intentionally submitted, and cancel or clean up polling if you no longer want the task to continue.