ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chart Generator (Alex)

v2.3.4

Data visualization tool producing SVG charts. Use when you need bar charts, line charts, pie charts, tables, sparklines, gauges, or any data visualization fr...

0· 58·0 current·0 all-time
by@shendingyi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (SVG and ASCII chart generation) match the included scripts: scripts/chart.sh and scripts/script.sh implement ASCII, SVG and HTML exports and CSV import. The presence of sample SVGs and tips.md aligns with the stated purpose.
Instruction Scope
SKILL.md instructs running scripts/chart.sh from the skill directory and documents the CLI options; the runtime actions are limited to parsing user-provided data and writing chart files and logs. However the instructions and scripts write files into the current directory and a persistent data directory (~/.local/share/chart-generator by default), and accept CSV/JSON input — all legitimate for this tool but worth noting because they create persistent files on disk.
Install Mechanism
No install spec is provided (instruction-only install), which keeps risk low. The skill does include executable scripts that will be run when invoked; there is no remote download or third‑party package installation declared.
!
Credentials
Declared requirements list no environment variables or binaries, yet the scripts call python3 (chart.sh embeds a python3 snippet) and use CHART_DIR/XDG_DATA_HOME/HOME to determine writable paths. The skill requests no secrets, but the missing declaration of python3 and the use of CHART_DIR/XDG_DATA_HOME are inconsistencies the user should be aware of.
Persistence & Privilege
The skill creates persistent files: chart files in the working directory, and a per-user data directory (history.log and saved SVGs under ~/.local/share/chart-generator by default). It does not request always:true or elevated privileges, but it will leave artifacts on disk and maintain a usage history file.
What to consider before installing
This skill appears to do what it says (generate ASCII/SVG/HTML charts), but check a few things before installing or running it in a non‑sandboxed environment: 1) The scripts call python3 even though no binaries are declared — ensure python3 is available and inspect the python portion. 2) The scripts write chart files to the current directory and a persistent data directory (~/.local/share/chart-generator by default) and append to history.log — if you care about privacy or disk writes, run it in a disposable or sandboxed directory or adjust CHART_DIR. 3) Some script snippets show bad/non‑portable constructs and the provided file listings are truncated in places — request the full, untruncated source to review for any hidden network calls or additional behavior before trusting it. 4) If you plan to provide CSV/JSON files, avoid supplying sensitive data until you’ve audited the complete scripts. If you want to proceed, run it in a container or VM first and review the full, untruncated script files for unexpected network calls or eval/exec patterns.

Like a lobster shell, security has layers — review code before you run it.

chartvk97ed9q2pn2r9fd9400yf24jn984n81ddatavk97ed9q2pn2r9fd9400yf24jn984n81dlatestvk97ed9q2pn2r9fd9400yf24jn984n81dsvgvk97ed9q2pn2r9fd9400yf24jn984n81dvisualizationvk97ed9q2pn2r9fd9400yf24jn984n81d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments