Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Funding Trend Forecaster
v0.1.0Predict funding trend shifts using NLP analysis of grant abstracts from NIH, NSF, and Horizon Europe
⭐ 0· 57·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with included code: NLP preprocessing, simple topic modeling, forecasting. The SKILL.md promises multi-source collection from NIH/NSF/Horizon Europe which is plausible for the task and does not require private credentials. However the documented architecture references collectors/analyzers modules (collectors/nih_collector.py, analyzers/*) that are not present in the file manifest (only scripts/main.py is shipped). That mismatch suggests the package is incomplete or the main file is expected to contain all functionality — the skill's claims are reasonable but the packaging is inconsistent.
Instruction Scope
Run instructions are explicit (pip install requirements, nltk.download, run scripts/main.py). The instructions require network access to download NLTK corpora and to fetch data from public agency sites (reporter.nih.gov, nsf.gov, ec.europa.eu). There are no instructions to read unrelated system files or to use secrets. Still, SKILL.md indicates automatic multi-source scraping — review the actual collectors code (or the remainder of main.py) to confirm scraping behavior, rate limits, and that no unexpected endpoints or telemetry are contacted.
Install Mechanism
No formal install spec in registry (instruction-only), but SKILL.md tells the user to pip install -r requirements.txt and to download NLTK data. That is a normal installation method but does pull packages from PyPI and will download NLTK corpora over the network. The requirements.txt is modest; there are minor duplicates (dateutil vs python-dateutil). No remote binary downloads or opaque third-party installers were specified.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. That is proportionate to publicly scraping/processing grant abstracts. There are no demands for unrelated secrets or broad cloud credentials.
Persistence & Privilege
The skill is not marked always:true and uses normal invocation. It does not request permanent agent privileges in the manifest. Nothing in the provided materials indicates modification of other skills or system-wide settings.
What to consider before installing
This skill appears to implement the advertised NLP and forecasting functionality, but there are a few red flags to check before installing or running it on a production machine: 1) Confirm the missing modules: SKILL.md claims collectors/analyzers files that are not in the package manifest — inspect scripts/main.py fully to ensure all collection code is present and readable. 2) Review all network endpoints in the code: make sure it only fetches from the public agency URLs you expect and does not post data to unknown servers or phone home. 3) Run in an isolated environment (container or VM) first and monitor network traffic while executing a small scrape to verify behavior and rate limits. 4) Limit scope via config.json (max_results, enabled sources) to avoid heavy scraping and possible IP blocking. 5) Because the skill downloads NLTK corpora at install time and installs PyPI packages, prefer running pip installs in a virtualenv; inspect requirements for supply-chain concerns. 6) Ask the author for provenance or a homepage/source repository — absence of a known source reduces trust. If you cannot inspect the full collector/analyzer code or cannot validate where data is being sent, avoid running it on sensitive hosts or with privileged credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk970mz3678t1y68czvvqm08p6d83fhqh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.