Skillv1.0.0

ClawScan security

Data Visualization Studio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 4:16 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a data-visualization tool and do not request unrelated credentials, installs, or access.
Guidance: This skill appears coherent and implements what it claims: creating and exporting visualizations from local data. Before installing, ensure the runtime has the required Python libraries (pandas, plotly, matplotlib, seaborn and an image engine like kaleido or orca for static exports). Be aware that the skill reads local data files and writes output files—do not supply sensitive data you don’t want written to disk or potentially overwritten. If you run in a shared environment, confirm file paths to avoid accidental overwrites. If you need the skill to fetch remote data or install missing packages automatically, request those behaviors explicitly and review any future install steps or external URLs carefully.

Review Dimensions

Purpose & Capability: okName/description align with the included SKILL.md, reference docs, and the Python script which implements chart creation and export. The requested capabilities (reading data files and producing PNG/HTML/PDF/etc.) match the stated purpose; there are no unrelated credentials, binaries, or config paths required.
Instruction Scope: okRuntime instructions are limited to loading data (CSV/JSON/XLSX/etc.), creating visualizations, and saving outputs. The SKILL.md examples and the script operate only on user-supplied data and output files; there are no instructions to read unrelated system files, environment secrets, or to transmit data to external endpoints.
Install Mechanism: okThis is instruction-only with no install spec. There is one bundled Python script that imports common visualization libraries (pandas, plotly, matplotlib, seaborn). No external download URLs or install actions are present. (Note: runtime requires those Python packages to be available, but the skill does not attempt to install them.)
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code imports os but does not read environment secrets. No disproportionate access to unrelated services or secrets is requested.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent platform privileges or modify other skills' settings. It is user-invocable and may be invoked autonomously (the platform default), which is expected for a utility skill of this kind.