ClawHub

Chart Image

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: chart-image Version: 2.6.35 The 'chart-image' skill is a legitimate utility for generating chart images using Vega-Lite and Sharp. The core logic in 'scripts/chart.mjs' handles data parsing and image rendering without any evidence of malicious intent, such as data exfiltration, backdoors, or unauthorized execution. The documentation in 'CAPABILITY.md' and 'SKILL.md' provides clear, safe instructions for the AI agent, specifically warning against shell injection vulnerabilities by recommending structured argument passing instead of string interpolation. No suspicious dependencies or obfuscated code were detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI02: Tool Misuse and Exploitation
What this means

If integrated carelessly, chart data, labels, or paths could be mishandled by the surrounding agent/runtime.

Why it was flagged

This confirms the skill is intended to invoke a local CLI with user-provided chart data and file path parameters; the behavior is purpose-aligned, but safe integration depends on preserving the documented argv and path controls.

Skill content
Do not build shell commands with string interpolation around user-controlled JSON, titles, labels, or paths... Treat `--output`, `--spec`, and file-based inputs as trusted/runtime-controlled parameters rather than free-form user text.
Recommendation

Use argv-style process execution and runtime-created or trusted temporary input/output paths, as the capability document recommends.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the skill pulls its Node dependencies into the local environment.

Why it was flagged

The skill requires installing npm dependencies as a setup step. This is expected for a Node-based chart renderer, and the package/lock files are included, but users should recognize that installation downloads third-party packages.

Skill content
Setup (one-time)

```bash
cd /data/clawd/skills/chart-image/scripts && npm install
```
Recommendation

Install from the packaged skill directory, keep the included lockfile, and avoid replacing dependencies with unreviewed sources.