Agricultural Output Forecasting
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, the skill could keep operating after the intended forecasting task and consume resources or later change behavior if the self-evolution logic is expanded.
This script would continuously run a self-evolution module every 30 minutes. That long-running background behavior is not needed for crop-yield forecasting and is not bounded by the visible install metadata.
while true; do
echo "[$(date)] Evolving..." >> $LOG_FILE
cd $SKILL_PATH && python3 scripts/self_evolve.py >> $LOG_FILE 2>&1
sleep 1800
doneDo not run the auto-evolve daemon unless you explicitly want a background process; the publisher should remove it or make it opt-in, documented, scoped, and easy to stop.
Users may trust the skill’s privacy posture more than warranted and provide identifiers believing they are hashed when they are stored plainly in the local trial file.
The security documentation makes strong privacy claims, but the provided TrialManager code stores trial data directly under the supplied user_id key rather than hashing it, so the privacy description is materially inaccurate.
Data Stored: - User ID (hashed) ... - No sensitive data is stored in plain text
Treat the privacy claims cautiously. The publisher should either hash user IDs as documented or update the documentation to accurately describe stored data.
After the trial, forecasts may use a billing API key and deduct tokens from the associated SkillPay account.
The code reads SkillPay credentials from environment variables and sends the API key to the billing provider. This is expected for a paid SkillPay integration, but the registry metadata says no credentials or env vars are required.
API_KEY = os.environ.get('SKILLPAY_API_KEY', '')
SKILL_ID = os.environ.get('SKILLPAY_SKILL_ID', '')
...
'X-API-Key': api_keyOnly configure a SkillPay key you trust for this purpose, monitor charges, and note that the metadata under-declares the credential requirement.
Local usage records may remain after using the skill until the user deletes them.
The skill persists local trial state, including user identifiers and timestamps. This is purpose-aligned for free-trial tracking, but users should know it remains on disk.
self.trial_dir = os.path.expanduser("~/.openclaw/skill_trial")
...
data[user_id] = {'used_calls': 0, 'first_use': datetime.now().isoformat()}Use a non-sensitive user_id and delete ~/.openclaw/skill_trial/agricultural-output-forecasting.json if you want to remove the trial history.
Users may need to fetch or create unreviewed files to follow the documentation, which weakens provenance and reproducibility.
The getting-started instructions tell users to run demo.py, but the supplied manifest does not include demo.py. Other docs also reference absent setup files such as .env.example.
python demo.py
Use only the reviewed files in the package, and ask the publisher to include or remove references to missing helper files.