Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match a Python chart generator and the included charting functions are coherent. However SKILL.md documents additional runtime helpers (chart-gen, chart-gen-send, automatic Telegram sending) that are not documented as requiring credentials or an install step and are not obviously reflected in the declared metadata.
Instruction Scope
SKILL.md contains example invocations that assume user-specific absolute paths (/home/thor/.openclaw/...), conda invocation, and a chart-gen-send feature that 'sends to Telegram and auto-cleans' — that operation would involve network access and secrets but no env vars or endpoints are declared. The examples also reference wrapper commands (chart-gen, chart-gen-send) even though there is no install step shown to create those binaries.
Install Mechanism
This is instruction-only with one Python file and no install spec. That keeps disk footprint small, but SKILL.md claims wrapper commands and Telegram sending without an install step or declared entry points; it's unclear how those command names are provided to users, which is an incoherence (not necessarily malicious but concerning).
Credentials
The documentation describes sending charts to Telegram (chart-gen-send) and automatic cleanup but the skill declares no required environment variables or primary credential. If Telegram integration is implemented, the skill should declare tokens/chat IDs — their absence is a mismatch and could indicate hidden credential handling or missing documentation.
Persistence & Privilege
Skill metadata does not request always:true or other elevated persistent privileges; default autonomy is allowed but not excessive. No config paths or system-wide changes are declared.
What to consider before installing
This package appears to implement chart generation, but there are several mismatches you should resolve before installing: 1) SKILL.md mentions a chart-gen-send that posts to Telegram, yet no environment variables (e.g., TELEGRAM_TOKEN, CHAT_ID) or endpoints are declared — inspect the full chart_gen.py to confirm whether it reads/writes network credentials or contacts external servers. 2) Examples use wrapper commands (chart-gen, chart-gen-send) and hardcoded conda paths (/home/thor/...), but there is no install spec to create those commands — ask the author how those are installed or expect to run the Python script directly. 3) Because the file shown is truncated, review the remainder of chart_gen.py to check for any network I/O, hardcoded endpoints, or hidden credential handling. If you need Telegram integration, prefer that the skill explicitly documents required env vars and their scope, or run the tool in a sandboxed environment and avoid providing any secrets until you confirm where/ how they are used.Like a lobster shell, security has layers — review code before you run it.
latestvk975tpgazc5eav3dd05gqjv9n9832jfr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis