Back to skill
Skillv1.0.0
ClawScan security
Generate Chart · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 3:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper that posts Chart.js data to a third-party chart-generation API (pdfapihub.com); its requirements and instructions are consistent with that purpose, but using it will send your chart data to an external service so verify privacy and API-key handling first.
- Guidance
- This skill simply sends your Chart.js configuration and data to https://pdfapihub.com to get a generated image. Before using it, verify the legitimacy and privacy/retention policy of pdfapihub.com, avoid sending sensitive or personally identifying data to the third-party service, and treat the CLIENT-API-KEY like any secret (use a dedicated key, do not reuse keys across unrelated services, and rotate/revoke if compromised). Test with non-sensitive/dummy data first. If you need chart generation entirely under your control, consider a local/server-side Chart.js renderer instead of a third-party API.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, example.json, and skill.json consistently describe a chart-generation API using Chart.js served by pdfapihub.com. The declared API auth header (CLIENT-API-KEY) is appropriate for this purpose.
- Instruction Scope
- okRuntime instructions are narrowly scoped: they show how to POST chart_type, data, options, and sizing to the external API and how to include CLIENT-API-KEY. The instructions do not request unrelated files, system paths, or extra credentials.
- Install Mechanism
- okThere is no install step and no code to execute locally (instruction-only). This minimizes filesystem risk; nothing is downloaded or written by the skill itself.
- Credentials
- noteThe skill requires an API key (CLIENT-API-KEY) to call the third-party service (skill.json marks auth required). The registry metadata shows no required environment variables, which is consistent for an instruction-only skill, but users must supply an API key when calling the API. This is proportionate to the stated function, but remember the API key grants access to a remote service and should be handled as a secret.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent presence or elevated platform privileges. It does not modify other skills or system-wide configuration.