ClawHub

Generate Chart

Security checks across malware telemetry and agentic risk

Overview

This is a coherent chart-generation skill that uses a disclosed PDFAPIHub API, with ordinary privacy caution for chart data sent to that service.

Use this skill only for chart data you are comfortable sending to pdfapihub.com. Keep the CLIENT-API-KEY secret, and avoid personal, regulated, confidential, or sensitive financial/business data unless you have reviewed and accepted the provider's privacy and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The example contradicts the stated skill behavior by sending chart data to a third-party API that generates and hosts the output remotely, rather than clearly indicating local Chart.js rendering. This creates a data disclosure and trust-boundary issue because user-supplied chart contents may be transmitted off-platform and retained externally without the description making that explicit.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Returning a public CDN URL and deletion date shows that generated charts are hosted remotely and retained for some period, which expands the privacy and exposure surface beyond simple chart generation. If charts contain sensitive business or personal data, anyone with the URL or access to the hosting layer may retrieve the image during the retention window.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to send an API key and chart data to a third-party service, but it does not clearly warn that the data leaves the local agent environment and is transmitted to an external provider. This creates a real privacy and data-handling risk because users may unknowingly submit sensitive business data, report contents, or credentials to an external system.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal