Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mysteel_ChartGeneration
v1.0.0基于文本描述或数据自动生成各类图表(趋势图、对比图、结构图等);当用户需要创建可视化图表、将数据转化为直观表达、生成分析报告插图时使用
⭐ 1· 71·0 current·0 all-time
bymysteel@wyb92
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, included scripts, and reference docs all describe generating ECharts options via an AI chart-generation API. The Python scripts implement that behavior (reading an API key, POSTing JSON to an external ai-chart endpoint, saving option and meta files, rendering HTML). The externally-called domain (mcp.mysteel.com) matches the 'Mysteel' naming in the package and the references file documents the same API path, so the required network access and an API key are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent/user to create a local references/api_key.md and explains the script flow (reading that file, setting header 'token', calling API, saving outputs) — that is expected. However, the examples and usage commands show 'node scripts/generate_chart.py' and 'node scripts/render_html.py' which is incorrect for provided Python scripts; this is a clear documentation/runtime inconsistency. The skill reads a local secrets file (api_key.md) and transmits its value as the 'token' header to an external service — that behavior is explicitly documented and must be considered by the user. There are no instructions to read unrelated system files or environment variables, but the mis-specified command invocations increase risk of accidental misuse.
Install Mechanism
There is no install spec (instruction-only with included Python scripts). That minimizes installer risk. The declared dependency is just the Python 'requests' library. No downloads from untrusted URLs or archive extraction are present. However, the README's incorrect use of 'node' suggests sloppy packaging/documentation rather than an installer flaw.
Credentials
The skill requests an API key stored in a local file references/api_key.md (not via environment variables). Requesting a single API key for the external chart-generation API is proportionate to the stated purpose. There are no other credential requests or accesses to unrelated configuration paths. Minor mismatch: the skill metadata lists no required env vars while runtime requires an API key file — this is a documentation/manifest omission rather than an obviously malicious request.
Persistence & Privilege
always is false and the skill does not request permanent platform privileges. It runs as user-invoked/autonomous calls are allowed by default but nothing in the package tries to modify other skills or global agent settings. The skill writes output files under ./output and reads a local references/api_key.md — standard behavior for a local tool.
Scan Findings in Context
[EXTERNAL_HTTP_POST_mcp.mysteel.com] expected: The generate_chart.py script POSTs the chart generation payload to https://mcp.mysteel.com/mcp/info/genie-tool/v1/tool/ai-chart. This is expected for a remote AI chart-generation service, but means your API key and data are sent to that external host.
[LOCAL_SECRET_READ_api_key.md] expected: The script reads a local file references/api_key.md to obtain the API key and then places it in the request header 'token'. Reading a local secrets file is expected but you should ensure the file does not contain other sensitive data and is stored securely.
[DOC_COMMAND_MISMATCH_node_vs_python] unexpected: SKILL.md examples execute the included .py scripts with 'node', but the files are Python and the top-of-file shebangs and dependency notes reference Python. This is a documentation/runtime mismatch and could cause user confusion or accidental mis-execution.
What to consider before installing
This skill appears to implement an AI-driven chart generator, but take these precautions before installing or running it:
- Verify the external endpoint: The script sends your API key and request payload to https://mcp.mysteel.com. Confirm you intend to use that service and that the API key you provide is only for this service. If you don't recognize the domain, do not provide secrets.
- API key handling: The skill expects a local file references/api_key.md containing the API key. Prefer storing secrets in a secure secret manager or environment variable if possible, and avoid committing api_key.md into version control. Inspect the file contents format the script expects before creating it.
- Documentation mismatch: SKILL.md shows running the .py files with 'node' — that's incorrect. Run the scripts with Python (python3 scripts/generate_chart.py ...) and ensure Python and the 'requests' package are installed.
- Run in an isolated environment: Execute the scripts in a sandboxed or isolated environment (container or VM) until you are comfortable with network traffic and file outputs.
- Review outputs and network traffic: After a test run, inspect the generated output/ files and, if possible, monitor outbound network requests to confirm only expected calls are made.
Overall, the package is coherent with a chart-generation use-case but the documentation errors and the fact that it transmits a user-supplied key to an external service make it worth extra review before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97dtpa84m5pd8s95x6yqrrw4s83hq6d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.