Generate publication-quality chart images from data. Supports line, bar, area, point, candlestick, pie/donut, heatmap, multi-series, and stacked charts. Use...
Security Analysis
high confidenceThe skill's code, instructions, and dependencies are coherent with its stated purpose (server-side chart image generation) and do not request unrelated credentials or hidden capabilities.
Name/description (generate chart PNGs with Vega-Lite + Sharp) aligns with included files, package.json, and the CLI usage in SKILL.md/CAPABILITY.md. No unexpected credentials, binaries, or config paths are requested.
Runtime instructions are limited to installing Node dependencies (npm install) and running the provided chart.mjs script. The skill writes temporary chart data to /tmp and outputs files to disk as expected. There are no instructions to read unrelated system files, access platform credentials, or transmit data to external endpoints autonomously.
This is an instruction-only skill but includes a Node script and package.json; the recommended install is `npm install` in the scripts folder. That pulls sharp/vega/vega-lite from the public npm registry (package-lock.json present). This is expected for a Node image-generator but means native libvips prebuilt binaries and many optional packages will be installed — moderate supply-chain surface compared with a zero-dep instruction-only skill.
The skill requests no environment variables or credentials. It uses local filesystem paths (/tmp and /data/clawd/skills) consistent with platform conventions. There are no unrelated secret/env accesses in SKILL.md or the visible code.
always:false and user-invocable. The skill does not request permanent system-wide privileges or modify other skills. It writes temporary output files and expects an install step but does not claim or require elevated persistence.
Guidance
This skill appears to do what it says: generate charts using Vega-Lite and Sharp. Before installing: 1) Run npm install and the skill inside an isolated environment (container or sandbox) to limit filesystem/network blast radius. 2) Review and pin package versions (package-lock.json exists) and optionally run `npm audit` or scan dependencies for known issues. 3) Avoid passing secrets or sensitive data to the --data/STDIN inputs (the script will write input to /tmp). 4) If you deploy on shared infrastructure, restrict file permissions and ephemeral storage for generated images. If you need extra assurance, inspect the full chart.mjs content locally for any network calls or child_process usage before running.
Latest Release
v2.5.1
chart-image v2.5.1 - Version bump from 2.4.0 to 2.5.1. - Documentation updated (README.md, SKILL.md): no new features or options documented. - No changes to code structure or CLI arguments are documented.
More by @dannyshmueli
Published by @dannyshmueli on ClawHub
