Is bobbyg603/chart-splat safe?

https://github.com/openclaw/skills/tree/main/skills/bobbyg603/chart-splat

84
SAFE

chart-splat is a functionally legitimate chart-generation skill that connects to the chartsplat.com API to render PNG images from user-supplied data. The skill code itself is clean with no prompt injection, hidden instructions, or direct attempts to read sensitive files. The primary risk is its preferred execution method — 'npx -y chartsplat-cli' — which downloads and executes a live npm package at invocation time, creating a post-audit supply chain attack surface. Users should also be aware that chart data (including business metrics) is transmitted to the third-party api.chartsplat.com service.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 76/100 · 25%
Code Execution 67/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

HIGH npx runtime download executes unverified npm package -33

The skill's preferred method instructs the agent to run 'npx -y chartsplat-cli' which fetches and executes the latest published version of the chartsplat-cli package from npm at invocation time. The -y flag suppresses all prompts including lifecycle script warnings. This means the package author (or an attacker who compromises the npm account or the package name) can push a malicious version that runs arbitrary code with full agent permissions. The skill passed audit with the current package version, but future versions are not audited.

MEDIUM User chart data transmitted to third-party API -24

All chart data — labels, numeric datasets, and titles — is serialized to JSON and POSTed to api.chartsplat.com. Users who chart sensitive business data (revenue figures, user counts, internal metrics) should be aware this data leaves their environment. The service is operated by a third party (chartsplat.com) whose data handling and retention policies are outside the user's control.

MEDIUM API endpoint overridable via CHARTSPLAT_API_URL environment variable -10

The helper script reads CHARTSPLAT_API_URL from the environment with no validation. If this variable is set to a malicious server (e.g., via a compromised .env file or another skill), all chart data and API keys would be transmitted to the attacker's endpoint.

LOW JSON config file read from disk without path validation -12

Both the CLI and helper script accept a --config flag that reads an arbitrary JSON file from disk. While the content is passed as a chart configuration and would likely cause an API error if it contained non-chart data, there is no restriction on which filesystem paths can be read. A prompt injection or malicious instruction could direct the agent to pass a path like ~/.npmrc or ~/.aws/credentials to the config flag, leaking the file contents in the error response.

LOW API key required from third-party service -7

Installation requires obtaining and configuring a CHARTSPLAT_API_KEY from chartsplat.com. This creates a dependency on an external commercial service and requires the user to authenticate with it. Key compromise or service termination would break the skill.

INFO Clean git sparse-checkout install with no side effects 0

The install process performed a sparse git clone of the monorepo, checked out only the skill subdirectory, copied files to the destination, and cleaned up. No unexpected processes or network connections attributable to the skill were observed.

INFO Canary file accesses attributable to audit framework, not skill 0

File access syscalls for .env, .ssh/id_rsa, .aws/credentials, and other sensitive files were observed at timestamps before and after skill installation (1771936215 and 1771936232). The skill installation completed at 1771936221. These accesses are generated by the oathe audit framework for canary setup and teardown, not by the skill itself.