ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chart MPL

v1.1.0

Generate PNG/SVG charts (line, bar, hbar, pie, stacked, scatter, area) from CSV data using matplotlib. Use when the user asks to visualize tabular data, prod...

0· 147·0 current·0 all-time
byUmbra@mohamed-hammane
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (python3), SKILL.md usage, and included scripts all align: the skill provides a Python script that reads CSV and renders charts with matplotlib — this is coherent and expected.
Instruction Scope
SKILL.md instructs creating a venv in ~/.openclaw/workspace/.venv_chart, installing matplotlib, and running the bundled script against a provided CSV. Those steps are within scope. It does write outputs to ~/.openclaw/workspace/exports/images (or to a user-specified --out). The audit is limited because the provided scripts/chart_mpl.py was truncated in the package listing, so the latter part of runtime logic (after beginning of scatter branch and any remaining code) could not be inspected.
Install Mechanism
No install spec is present (instruction-only); the SKILL.md recommends a venv and pip install matplotlib. There is no external download of code — the script is included in the package — so install risk is just the normal PyPI install of matplotlib and its dependencies.
Credentials
The skill requests no environment variables or credentials. It reads CSV files supplied by the user and writes image files to the workspace or a user-provided --out path, which is proportionate to the stated purpose.
Persistence & Privilege
always:false and user-invocable:true. The skill creates its own venv and output directories under ~/.openclaw/workspace, which is a reasonable level of persistence and scoped to its own files; it does not request elevated platform privileges.
What to consider before installing
This skill appears to do what it claims (create charts from CSV) and relies on a bundled Python script plus matplotlib. However, the provided script content was truncated in the package listing, so you should not run it unreviewed. Before installing or running: (1) review the full scripts/chart_mpl.py file for any subprocess, networking, or filesystem operations beyond reading the CSV and writing the image (search for os.system, subprocess, socket, requests, urllib, open to unexpected paths, or code that posts files); (2) run pip installs inside an isolated virtual environment or sandbox; (3) if you will supply CSVs exported from other skills, ensure those CSVs don't contain sensitive data you don't want processed or written to disk; (4) consider running the script on a non-production machine first. If you can provide the complete script (no truncation), I can re-evaluate and raise confidence to high if nothing suspicious appears.

Like a lobster shell, security has layers — review code before you run it.

latestvk977g2wszrpk664p0aeet5pnvh847x89

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

CH Clawdis
Binspython3

Comments