Agricultural Output Forecasting
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: agricultural-output-forecasting Version: 1.4.0 The skill bundle contains a background daemon ('auto-evolve-daemon.sh') that executes a 'self-evolution' script ('scripts/self_evolve.py') every 30 minutes, which serves as a potential persistence mechanism. While the current implementation of the 'evolution' logic is a stub, the presence of a background loop in an AI skill is highly irregular. Furthermore, the core forecasting logic in 'scripts/forecast.py' is entirely simulated using random number generators despite the documentation's claims of 'Big Data' and 'Weather Impact Analysis.' The heavy emphasis on a third-party monetization platform (skillpay.me) and the inclusion of a hardcoded EVM donation address in 'SKILL.md' suggest a focus on financial extraction rather than the stated agricultural utility.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, the skill could keep operating after the intended forecasting task and consume resources or later change behavior if the self-evolution logic is expanded.
This script would continuously run a self-evolution module every 30 minutes. That long-running background behavior is not needed for crop-yield forecasting and is not bounded by the visible install metadata.
while true; do
echo "[$(date)] Evolving..." >> $LOG_FILE
cd $SKILL_PATH && python3 scripts/self_evolve.py >> $LOG_FILE 2>&1
sleep 1800
doneDo not run the auto-evolve daemon unless you explicitly want a background process; the publisher should remove it or make it opt-in, documented, scoped, and easy to stop.
Users may trust the skill’s privacy posture more than warranted and provide identifiers believing they are hashed when they are stored plainly in the local trial file.
The security documentation makes strong privacy claims, but the provided TrialManager code stores trial data directly under the supplied user_id key rather than hashing it, so the privacy description is materially inaccurate.
Data Stored: - User ID (hashed) ... - No sensitive data is stored in plain text
Treat the privacy claims cautiously. The publisher should either hash user IDs as documented or update the documentation to accurately describe stored data.
After the trial, forecasts may use a billing API key and deduct tokens from the associated SkillPay account.
The code reads SkillPay credentials from environment variables and sends the API key to the billing provider. This is expected for a paid SkillPay integration, but the registry metadata says no credentials or env vars are required.
API_KEY = os.environ.get('SKILLPAY_API_KEY', '')
SKILL_ID = os.environ.get('SKILLPAY_SKILL_ID', '')
...
'X-API-Key': api_keyOnly configure a SkillPay key you trust for this purpose, monitor charges, and note that the metadata under-declares the credential requirement.
Local usage records may remain after using the skill until the user deletes them.
The skill persists local trial state, including user identifiers and timestamps. This is purpose-aligned for free-trial tracking, but users should know it remains on disk.
self.trial_dir = os.path.expanduser("~/.openclaw/skill_trial")
...
data[user_id] = {'used_calls': 0, 'first_use': datetime.now().isoformat()}Use a non-sensitive user_id and delete ~/.openclaw/skill_trial/agricultural-output-forecasting.json if you want to remove the trial history.
Users may need to fetch or create unreviewed files to follow the documentation, which weakens provenance and reproducibility.
The getting-started instructions tell users to run demo.py, but the supplied manifest does not include demo.py. Other docs also reference absent setup files such as .env.example.
python demo.py
Use only the reviewed files in the package, and ask the publisher to include or remove references to missing helper files.