Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Data Visualization
v0.1.5Data visualization with chart selection, color theory, and annotation best practices. Covers chart types (bar, line, scatter, heatmap), axes rules, and story...
⭐ 0· 3.2k·25 current·28 all-time
byÖmer Karışman@okaris
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and recipes align with a data visualization guide. However, the SKILL.md consistently steers users toward using the inference.sh CLI and its remote python-executor rather than local tooling; that dependence on a specific remote executor is not strictly necessary for a visualization guide and should be justified to users.
Instruction Scope
Instructions include a curl | sh install pipeline and multiple examples that run code via infsh app run (remote execution). The doc does not warn that your code, and any data you include, will be transmitted to inference.sh or explain how data is handled, retained, or protected. Recommending remote execution without privacy/consent details is scope creep for a guide that could equally show local commands.
Install Mechanism
Although the registry lists no install spec, the SKILL.md explicitly recommends piping https://cli.inference.sh to sh which downloads a binary from dist.inference.sh. curl | sh is a high-risk pattern (runs remote code immediately). The doc asserts checksum verification is available, but that requires users to perform manual checks; the skill provides no automated, verifiable install spec in the registry.
Credentials
The skill requests no environment variables, credentials, or config paths — that's proportionate to a documentation/recipe skill. Note: the use of a remote executor implies network transmission of code/data even though no credentials are required; the skill does not explain this.
Persistence & Privilege
The skill does not request always-on presence and has no install artifacts in the registry. It is instruction-only and does not request elevated privileges or modification of other skills.
What to consider before installing
This is a legitimate-looking visualization guide, but it repeatedly instructs you to install and use a third-party CLI (inference.sh) via curl | sh and to run code remotely. Before installing or sending any data to that service: 1) prefer running the provided Python code locally (pip install matplotlib) if you want to avoid sending data off-host; 2) if you consider using inference.sh, manually inspect their install script and verify the SHA-256 checksums from a trusted channel (do not blindly pipe to sh); 3) avoid sending sensitive or proprietary datasets to the remote executor unless you have reviewed their privacy/storage policy and trust the provider; 4) ask the publisher for an explicit privacy/data-handling statement and for an official install spec (e.g., a package in a known repo or a documented release on GitHub). These issues make the skill suspicious rather than clearly benign.Like a lobster shell, security has layers — review code before you run it.
latestvk970tw10qfw2qb5d3dm6fwn5xs81d4ef
License
MIT-0
Free to use, modify, and redistribute. No attribution required.