ClawHub

Chart AI

v1.0.0

Use this skill when the user wants to create visualizations (charts, dashboards, diagrams, Gantt, PPT), analyze data (Excel/CSV upload, cross-file analysis,...

0· 62·0 current·0 all-time
byChartGen AI@chartgen-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's stated purpose (data visualization, analysis, PPT generation) matches the included tool (uploads files, posts queries, polls tasks, returns artifacts). The required environment variable CHARTGEN_API_KEY is appropriate. However, the registry metadata lists no required binaries while SKILL.md and the runtime instructions require Node.js (node >= 14) and the JS helper is executed with `node tools/chartgen_api.js` — that mismatch is an incoherence that should be fixed or documented.
Instruction Scope
The SKILL.md keeps scope narrow: confirm with user, notify, submit via the included JS helper, poll, and deliver results. The instructions intentionally read and upload user-supplied files (.csv/.xls/.xlsx/.tsv). The helper also looks for an API key in several local config paths (~/.openclaw, ~/.config/chartgen/api_key, ~/.chartgen/api_key), which means the tool will attempt to read those files if CHARTGEN_API_KEY is not set — this is consistent with finding a saved API key but should be noted as local file access.
Install Mechanism
No install spec — instruction-only with a small JS helper bundled. No downloads from external URLs or package managers. This is low-risk from an installation perspective. The one inconsistency is that Node is required at runtime but not declared in required binaries in registry metadata.
Credentials
Only CHARTGEN_API_KEY is declared as required and is proportional to the skill's functionality. The helper also respects CHARTGEN_API_URL (allows redirecting the target endpoint) and will search local config files and OPENCLAW_STATE_DIR for API keys; that behavior is reasonable but means the tool may read local files to find credentials. If you have other secrets stored in the same locations, they could be detected (the helper looks for fields named api_key/apiKey/token/access_token in JSON files).
Persistence & Privilege
always:false (no forced inclusion). The skill writes artifacts to a media/workspace directory (state dir or ~/.openclaw or tmp), which is expected for delivering images/PPT previews. It does not request elevated platform privileges, does not modify other skills' config, and does not persist beyond creating its own media/config files.
Assessment
What to consider before installing: - Function: This skill uploads files and queries to the ChartGen service and returns charts/PPTs. It requires an API key (CHARTGEN_API_KEY) that the helper sends to the remote service. - Node requirement: The skill runs node tools/chartgen_api.js but the registry metadata doesn't list Node as a required binary — ensure Node.js >=14 is installed on the agent host. - Local file access for API key: If CHARTGEN_API_KEY is not set, the tool will try to read API keys from several local paths (~/.openclaw, ~/.config/chartgen/api_key, ~/.chartgen/api_key). If you don’t want the skill to search your home/state dirs for keys, set CHARTGEN_API_KEY explicitly or remove those files. - Data privacy: Uploaded files are sent to the ChartGen endpoint (default https://chartgen.ai, but CHARTGEN_API_URL can override). Do not upload sensitive personal or secret data unless you trust the ChartGen service and its storage/retention policies. - Endpoint override risk: If CHARTGEN_API_URL is set in your environment, the skill will send data to that host. Make sure it isn’t pointed to an untrusted or malicious endpoint. - Verify source: The homepage repo is listed; if you need higher assurance, review the repository and the tool code before granting the API key. If anything looks unexpected (e.g., different endpoints or extra network calls), do not provide credentials. Overall: the skill appears coherent and appropriate for its stated purpose, but confirm Node availability, be deliberate about where your API key is stored, and avoid uploading sensitive data unless you trust the remote service.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a8d4s6xf1s5z7jha9p9j4tx83hn6h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCHARTGEN_API_KEY

Comments