Data Analysis Pro

ReviewAudited by ClawScan on May 1, 2026.

Overview

This skill appears purpose-aligned, but it uploads user-provided datasets to ChartGen and uses a ChartGen API key, so only use it with data you are allowed to send to that service.

Before installing, confirm you are comfortable sending the datasets you analyze to chartgen.ai and using a ChartGen API key from your environment. Prefer a limited-use API key, monitor credit usage, and avoid passing sensitive local files unless you have approval to upload them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Any spreadsheet, CSV, or JSON data analyzed by the skill may leave the local environment and be processed by ChartGen.

Why it was flagged

The script reads the provided local file, encodes its contents, and sends it to the ChartGen API endpoint for processing.

Skill content

BASE_URL = "https://chartgen.ai/api/platform_api/" ... data["file_blob"] = base64.b64encode(content).decode('utf-8') ... response = requests.post(url, headers=headers, data=json.dumps(data), timeout=60)

Recommendation

Use this skill only with data you are permitted to upload to chartgen.ai, and redact confidential or regulated information when appropriate.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill can consume ChartGen credits or quota associated with the configured API key.

Why it was flagged

The skill uses a ChartGen API key from the environment as an Authorization header for API calls.

Skill content

self.api_key = api_key or os.environ.get("CHARTGEN_API_KEY") ... headers = { "Authorization": self.api_key, "X-Platform-Source": "openclaw" }

Recommendation

Use a dedicated ChartGen API key with appropriate credit limits and rotate or revoke it if no longer needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Opening generated chart HTML depends on external JavaScript from jsDelivr, which is normal for browser-based charts but adds a third-party runtime dependency.

Why it was flagged

Generated visualization HTML loads ECharts JavaScript from an external CDN using a broad major-version reference.

Skill content

<script src="https://cdn.jsdelivr.net/npm/echarts@5/dist/echarts.min.js"></script>

Recommendation

Open generated HTML only when you trust the chart source, and consider pinning or locally hosting the ECharts library if stronger supply-chain control is needed.