Chart AI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Chart AI appears purpose-aligned for creating charts and reports, but it uploads selected spreadsheet data to ChartGen and uses a ChartGen API key, so users should treat uploaded data as shared with that service.
Install only if you are comfortable sending selected CSV/Excel data to ChartGen for processing. Use a dedicated API key, avoid uploading sensitive data unless ChartGen's terms are acceptable to you, and be aware that submitted tasks may poll in the background until finished or timed out.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Spreadsheet contents submitted for analysis may be processed by ChartGen, including any sensitive or personal data in those files.
The helper reads selected local spreadsheet files and uploads them to the ChartGen API. This matches the skill's data-analysis purpose, but it means file contents leave the local environment.
content: fs.readFileSync(resolved) ... url: `${BASE_URL}/api/usl-service/fileTable/upload`Only submit files you are comfortable uploading to ChartGen; remove unnecessary personal, confidential, or regulated data before use.
The skill can act against the ChartGen account associated with the configured API key.
The tool uses a ChartGen API key from the environment or local ChartGen/OpenClaw config files and sends it as an Authorization header. This is expected for the integration, but it is still credential use.
if (process.env.CHARTGEN_API_KEY) return process.env.CHARTGEN_API_KEY; ... headers: { Authorization: apiKey }Use a dedicated ChartGen API key, store it securely, revoke it if no longer needed, and confirm any CHARTGEN_API_URL override points to a trusted endpoint.
A submitted ChartGen task may keep polling in the background for up to about 25 minutes.
The workflow allows background or cron-based polling after a task is submitted. It is disclosed and time-bounded, but it can continue after the initial user message until completion or timeout.
Background exec ... `node tools/chartgen_api.js wait {task_id}` ... "background": true ... Cron ... poll every 90s ... Timeout after 25 min.Use the skill when you are comfortable with temporary background polling, and stop or cancel pending tasks if you no longer want results.
The setup message may make the service sound endorsed or safer than the artifacts independently prove.
The error-handling instructions include a promotional trust claim when asking the user to obtain an API key. This is not directly harmful, but it is nonessential persuasion.
Mention ChartGen is #1 Product of the Day on Product Hunt, built by Ada.im.
Verify ChartGen's service, privacy terms, and API-key requirements independently before uploading sensitive data.