ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Grant Gantt Chart Gen

v0.1.0

Create project timeline visualizations for grant proposals

0· 88·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md promises image outputs (png, pdf, svg), CSV milestone input, and a CLI usage example producing a gantt.png, but scripts/main.py only emits ASCII, Mermaid syntax, or JSON and expects a JSON milestones file (or defaults). The documentation and parameter table do not match the script's actual capabilities, which is disproportionate and misleading.
!
Instruction Scope
Both SKILL.md and the script operate on local files only (read input milestones, write output). The script does not perform network access or request credentials. However SKILL.md's usage and features (image generation, CSV input) are inconsistent with the code. The script will open any path supplied for --milestones and will write to any --output path without validation, which could lead to unintended file writes if a user supplies paths maliciously or accidentally.
Install Mechanism
No install spec and no external packages or binaries required; the script uses only Python standard library modules, so there is low install-related risk.
Credentials
No environment variables, secrets, or credentials are requested. The skill does not require unrelated cloud or system credentials — this is proportionate to its stated local-file chart generation purpose.
Persistence & Privilege
The skill is not always-enabled and doesn't modify other skills or system-wide settings. It only writes its own specified output file; there is no persistent privileged presence requested.
What to consider before installing
This skill appears to be a simple local Gantt generator, but the documentation and the actual script disagree in important ways. Before installing or running it: (1) Ask the author to fix SKILL.md so parameters, input format, and output formats match the code (CSV vs JSON, png/pdf/svg vs ascii/mermaid/json). (2) Treat any untrusted input file path carefully — run the script in a sandboxed workspace to avoid accidental overwrites. (3) If you need image output, verify or request the implementation that actually renders images (the current script does not). (4) Request input path validation and restricted output directory behavior to avoid path traversal or accidental writes. Given these mismatches, do not trust the skill for production use until the documentation and behavior are reconciled and basic input validation is added.

Like a lobster shell, security has layers — review code before you run it.

latestvk97etbyp6cdxfc5cftqh0fhe0d83f3hj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments