ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Data Viz

v0.1.0

Create terminal charts and plots from CSV or JSON data using YouPlot and termgraph without leaving the command line.

0· 1.3k·12 current·12 all-time
by@ianalloway
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's stated purpose (create terminal charts with YouPlot and termgraph) matches the commands and examples in SKILL.md. However, registry metadata lists only curl as a required binary while the instructions expect/mention many other tools (uplot/youplot, termgraph, jq, gnuplot, csvlook, spark, column, top, watch). The SKILL.md also contains install commands (gem install youplot, pip install termgraph) even though the registry metadata said 'No install spec', which is an internal inconsistency but not obviously malicious.
Instruction Scope
Runtime instructions limit actions to local data processing and calling HTTP APIs (curl) for example data; they do not instruct reading unrelated system files, harvesting environment variables, or transmitting data to unexpected endpoints. Examples do use network calls to public APIs (e.g., alphavantage/demo) which is expected for data fetches.
Install Mechanism
No formal install spec in the registry, but SKILL.md includes shell install commands: 'gem install youplot' and 'pip install termgraph'. These are standard package-manager installs from central registries (RubyGems/PyPI) — moderate risk and expected for this purpose. There is no use of arbitrary download URLs or archive extraction. The inconsistency between 'no install spec' and embedded install commands should be clarified.
Credentials
The skill requests no environment variables or credentials. Example commands reference public API usage (apikey=demo) but do not require secret tokens. No sensitive or unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request permanent presence or attempt to modify other skills or system-wide agent settings. It is user-invocable and can be invoked autonomously (platform default), which is appropriate for this kind of helper.
Assessment
This skill appears to do what it says: create terminal charts using YouPlot/termgraph. Before installing or running its example install commands, note two practical items: (1) SKILL.md expects tools beyond 'curl' (uplot/youplot, termgraph, jq, gnuplot, csvkit, etc.) — make sure you have or want those installed. (2) The install steps use 'gem install youplot' and 'pip install termgraph' which install code from public package registries; review those packages' sources (GitHub repo) and run installs in a safe environment (e.g., virtualenv, container, or sandbox) if you are unsure. Also be aware example commands use curl to fetch data from external APIs — do not send sensitive data to unfamiliar endpoints. If you want this skill added to an automated agent, clarify the registry metadata to declare the actual binary dependencies and whether install commands should be executed automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk973jbea7ezvehsbgrrsqtseqn817hnw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binscurl

Comments