Chart Image
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently implements local chart image generation, with only normal npm dependency installation and controlled file input/output considerations to notice.
This looks safe for normal chart generation. Before installing, be comfortable with running npm install for the included Node dependencies, and when using it, pass chart data and output paths through trusted runtime controls rather than arbitrary shell strings.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If integrated carelessly, chart data, labels, or paths could be mishandled by the surrounding agent/runtime.
This confirms the skill is intended to invoke a local CLI with user-provided chart data and file path parameters; the behavior is purpose-aligned, but safe integration depends on preserving the documented argv and path controls.
Do not build shell commands with string interpolation around user-controlled JSON, titles, labels, or paths... Treat `--output`, `--spec`, and file-based inputs as trusted/runtime-controlled parameters rather than free-form user text.
Use argv-style process execution and runtime-created or trusted temporary input/output paths, as the capability document recommends.
Installing the skill pulls its Node dependencies into the local environment.
The skill requires installing npm dependencies as a setup step. This is expected for a Node-based chart renderer, and the package/lock files are included, but users should recognize that installation downloads third-party packages.
Setup (one-time) ```bash cd /data/clawd/skills/chart-image/scripts && npm install ```
Install from the packaged skill directory, keep the included lockfile, and avoid replacing dependencies with unreviewed sources.