Skillv1.0.0

ClawScan security

Chart · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 8:17 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Files, instructions, and requirements are consistent with a local-first chart generator that stores outputs under ~/.openclaw/workspace; nothing in the code or SKILL.md requests unrelated credentials, network access, or unexpected privileges.
Guidance: This skill appears to be what it says: a local chart generator implemented in small Python scripts and storing outputs under ~/.openclaw/workspace/memory/chart. Before running: (1) install matplotlib from a trusted source (pip/system package) and run init_storage.py to create the workspace; (2) inspect the included scripts if you have any doubts (they are short and only perform JSON IO and image generation); (3) run the scripts in a trusted environment or virtualenv if you prefer isolation; (4) be aware that the skill will write files to ~/.openclaw/workspace/memory/chart and create PNG outputs—if you need stricter containment, run it inside a container or restricted account. There are no signs of network exfiltration or secret access in the provided files.

Purpose & Capability: okThe skill claims to be a local chart generator and includes Python scripts (make_chart.py, suggest_chart.py, list_charts.py, init_storage.py) that implement that functionality. The SKILL.md correctly notes Python 3 and matplotlib as runtime requirements. No unrelated binaries, credentials, or external services are requested.
Instruction Scope: okRuntime instructions limit activity to local chart generation and storage under ~/.openclaw/workspace/memory/chart. The scripts read/write charts.json and generate PNGs; they do not reference other system paths, environment secrets, network endpoints, or perform broad data collection.
Install Mechanism: okThere is no install spec that downloads code from the network; the skill is instruction/code-only. It requires matplotlib to be present on the host, which SKILL.md documents. No remote downloads, extract steps, or third-party install URLs are present.
Credentials: okThe skill declares no required environment variables or credentials. Its only filesystem access is to a dedicated directory under the user's home (~/.openclaw/workspace/memory/chart), which is proportionate for storing charts and metadata.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It writes only to its own workspace directory and does not modify other skills or system-wide agent settings.