ClawHub
Back to skill
v1.1.0

Charts

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:52 AM.

Analysis

The charting workflow is mostly coherent, but it includes a hard-coded Telegram send target and depends on an unprovided local Python helper.

GuidanceBefore installing, review the local crypto_charts.py file that this skill depends on, confirm cleanup is limited to chart files, and remove or replace the hard-coded Telegram target unless you explicitly want charts sent to that account.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Uses the local `crypto_charts.py` module.

The reviewed package is instruction-only and does not include this referenced helper module, so the charting and cleanup behavior depends on local code outside the supplied artifacts.

User impactThe security and behavior of the chart workflow depends on whether the local crypto_charts.py file is trustworthy.
RecommendationReview or obtain the helper module from a trusted source before using the skill, and prefer bundling or documenting the exact expected helper version.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
cd ~/clawd && python3 -c "
import json
from crypto_charts import generate_all_charts, cleanup_old_charts
cleanup_old_charts()
report = generate_all_charts(...)

The intended workflow runs local Python commands and invokes helper functions. This is expected for a chart-generation skill, but it is still local code execution.

User impactUsing the skill executes whatever implementation is present in the local crypto_charts.py module and may create or clean files in the chart directory.
RecommendationRun it only with a trusted local helper module and confirm that cleanup_old_charts is limited to the intended chart-output directory.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusConcern
SKILL.md
After generating, send the chart image using Clawdbot's native `message` command:
```
message (Telegram, target="7887978276") [attach ~/clawd/charts/chart_btc.png]
```

The skill includes an external messaging action to a fixed Telegram recipient, without requiring the installing user to select or confirm that destination.

User impactIf followed, the workflow could send generated chart images and related activity to that Telegram account using the user's messaging capability.
RecommendationRemove the hard-coded Telegram ID, declare the messaging behavior clearly, and require the user to provide and confirm the recipient before sending.