Back to skill
Skillv1.0.1
ClawScan security
Free Time Series Forecasting with Plonky.ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 6, 2026, 3:53 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions, dependencies, and required actions align with a time-series forecasting helper that uses Plonky's API, but the package has no published source/homepage so exercise normal caution about data you upload and account creation.
- Guidance
- This skill appears coherent for its stated purpose, but note: (1) it will upload your CSV data to the Plonky MCP service and may create/use an API key — do not upload confidential or personally identifiable data unless you trust the service and have permission. (2) The package metadata lists no homepage/source even though SKILL.md links to a GitHub repo and docs; that lowers provenance confidence. (3) If you proceed, verify Plonky's privacy/terms, test with non-sensitive sample data first, and confirm you have the right to share the datasets you upload.
Review Dimensions
- Purpose & Capability
- okThe skill is an instruction-only forecasting helper that uses Plonky's MCP API (register, upload_data, analyze_dataset, create_forecast, etc.). The declared purpose (time-series forecasting) matches the operations the instructions describe; there are no unrelated credentials, binaries, or install steps requested.
- Instruction Scope
- noteThe SKILL.md stays focused on data prep, upload, analysis, forecasting, and backtesting. It does instruct the agent to upload CSV data and create accounts via the service's register endpoint when necessary — meaning user data will be transmitted to Plonky's service. It does not instruct the agent to read local system files, environment variables, or unrelated configuration paths beyond the dataset the user provides.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files: nothing is written to disk by the skill itself. This is the lowest-risk install profile.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The only credential interaction described is creating or using an API key for the Plonky MCP service — which is proportional to the stated purpose.
- Persistence & Privilege
- okThe skill is not always-on and does not request elevated persistence. It does include steps that may create or use a Plonky account/API key, which is normal for a remote-API integration and limited to the service's scope.