ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ELPA

v1.0.0

Orchestrate real ELPA-style ensemble forecasting workflows by triggering external sub-model training jobs (for example PyTorch/Prophet/TiDE/transformers), th...

0· 160·0 current·0 all-time
by@anonymouscodemaker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and assets: the orchestrator builds a plan and (optionally) runs real sub-model training commands and the integrator computes weights from validation errors. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md instructs the agent to dry-run and optionally execute training commands from a user-supplied JSON config; the code reads those configs, renders command templates, writes manifests and logs, and reads CSVs for errors. This stays within the described purpose but implies execution of arbitrary shell commands from the config — expected for this tool, but a significant operational risk if configs are untrusted.
Install Mechanism
Instruction-only with included Python scripts; there is no install spec, no external downloads, and no package installation steps. Files are written under the chosen run-dir; nothing is pulled from external hosts.
Credentials
The skill declares no required environment variables or credentials. Per-model configs may include an "env" object which the orchestrator will merge into the subprocess environment — this is appropriate for training jobs but means the config can inject environment values into executed processes.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills. It writes manifests, logs, and model directories under the run-dir (default .runtime/elpa_runs/<timestamp> or user-specified path), which is expected behavior for an orchestrator.
Assessment
This skill is coherent for orchestrating real training, but it will execute whatever shell commands appear in the JSON config. Only use configs and train_cmd templates from trusted sources. Recommended precautions: - Always run a dry-run first and inspect the generated manifest and train_cmd strings before using --execute. - Use a dedicated, sandboxed environment (container or isolated VM) with controlled dataset and filesystem access for execution. - Set run-dir to a directory you control and review stdout/stderr logs for secrets or unexpected output. - Inspect any per-model "env" entries in configs to ensure they don't inject sensitive credentials into subprocesses. - Avoid running this skill with configs obtained from untrusted third parties; validate templates and placeholders to prevent accidental execution of destructive commands (e.g., via shell metacharacters).

Like a lobster shell, security has layers — review code before you run it.

latestvk97c9abwsafp34k4r3yg7rqe4982xgax

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments