Back to skill
Skillv1.0.5
ClawScan security
Data Analysis Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 9:05 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required CHARTGEN_API_KEY are consistent with a ChartGen-based data analysis/visualization tool; the main risk is that it uploads your files/data to an external service (chartgen.ai).
- Guidance
- This skill is internally coherent, but it sends whatever file or JSON you provide to https://chartgen.ai for processing. Before installing or running it: (1) Verify you trust chartgen.ai and review their privacy/billing policies (especially for sensitive data). (2) Restrict the CHARTGEN_API_KEY (use minimal-permission key and billing/credit limits). (3) Test with non-sensitive sample data first. (4) Ensure your environment has the Python 'requests' package available. (5) Note the skill will save generated HTML to /tmp/openclaw/charts by default—clean up if that is a concern. If you need an offline/air-gapped workflow, this skill is not suitable.
Review Dimensions
- Purpose & Capability
- okName/description (data analysis, interpretation, visualization) match the included scripts and the ChartGen API client. Required env var CHARTGEN_API_KEY aligns with the stated ChartGen integration.
- Instruction Scope
- noteRuntime instructions and scripts only read the provided --file or --json input, base64-encode file contents, and POST them to chartgen.ai endpoints. This is within scope but means user data (files/JSON) is transmitted to an external service—an expected but important privacy/coverage consideration.
- Install Mechanism
- okNo install spec (instruction-only with included scripts) — nothing is downloaded or installed by the skill itself. The code depends on Python standard libraries and the third-party 'requests' package; the skill does not declare or install dependencies automatically.
- Credentials
- okOnly CHARTGEN_API_KEY is required and is appropriate for an external API client. No unrelated credentials, config paths, or extra secrets are requested.
- Persistence & Privilege
- okalways is false and the skill does not alter other skills or system-wide settings. It writes output HTML files to /tmp/openclaw/charts by default, which is reasonable for a visualization tool.